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EXAMINING HOW THE CONSUMER FINANCIAL 
PROTECTION BUREAU COLLECTS AND 
USES CONSUMER DATA 


Tuesday, July 9, 2013 

U.S. House of Representatives, 

Subcommittee on Financial Institutions 
AND Consumer Credit, 
Committee on Financial Services, 

Washington, D.C. 

The subcommittee met, pursuant to notice, at 10:04 a.m., in room 
2128, Rayburn House Office Building, Hon. Shelley Moore Capito 
[chairwoman of the subcommittee] presiding. 

Members present: Representatives Capito, Duffy, McHenry, 
Pearce, Posey, Fitzpatrick, Westmoreland, Luetkemeyer, Stutzman, 
Pittenger, Barr, Cotton, Rothfus; Maloney, Scott, Velazquez, Lynch, 
and Heck. 

Ex officio present: Representatives Hensarling and Waters. 

Chairwoman Capito. The subcommittee will come to order. With- 
out objection, the Chair is authorized to declare a recess of the sub- 
committee at any time. I don’t think that is going to be necessary. 

We are here this morning to learn about the Consumer Financial 
Protection Bureau’s (CFPB’s) collection and use of consumers’ per- 
sonal financial data. Unfortunately, the fact that we need today’s 
hearing is an important indication of how little meaningful infor- 
mation the CFPB has been providing to us and to the public. 

The American people have a right to know how a government 
agency is collecting and using their personal financial data. So far, 
the CFPB has declined to provide, I believe, concrete answers to 
these questions, and I hope we get some of those answers on record 
today. 

This past April, Senator Crapo, the ranking member of the Sen- 
ate Banking Committee, highlighted the CFPB’s decision to not 
provide him with the specific number of consumer accounts the 
agency is monitoring. Instead, we were forced to rely on accounts 
from news media outlets which indicate that the number of ac- 
counts may be as high as 10 million. 

For an agency whose initial leader once touted that, “This con- 
sumer bureau belongs to the public, and we are building it right 
out in the open there for anyone to see,” the refusal to answer this 
simple question is troubling. Without definitive answers to this and 
other basic questions, it is difficult for consumers to determine how 
much of their financial data is being aggregated by the CFPB. 

( 1 ) 
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It is critical, I believe, for American consumers to know why a 
Federal agency is collecting their financial data and how the CFPB 
is ensuring that data has the proper safeguards. Last year, the 
GAO and the Federal Reserve’s Inspector General found serious de- 
ficiencies with the CFPB’s systems and controls for the data they 
and the outside entities they are contracting with are collecting. 

More recently, in March of this year, the Federal Reserve IG 
issued a report with nine recommendations for the CFPB to im- 
prove the consumer response system’s security controls. I am deep- 
ly troubled that not only do we not know how many consumer data 
files the CFPB has collected, but also that outside entities have ex- 
pressed serious concerns about the ability of the CFPB to safeguard 
this data. 

I am also concerned about the use and storage of personally iden- 
tifiable information when collecting consumer data files. Despite 
the clear intent of Congress that the CFPB should not be collecting 
personally identifiable information, the CFPB did acknowledge in 
the fall of 2012, in a system of records notice that the agency will 
be collecting personally identifiable information that will be held 
indefinitely to match data files with other records in order to pro- 
vide the CFPB with more comprehensive data to analyze. Much 
like the earlier issues I have highlighted, we simply do not know 
the extent to which the CFPB is collecting, storing, or having out- 
side contractors collect and store consumers’ personally identifiable 
information. 

American consumers want answers to these questions. It is my 
hope that today’s hearing will begin a more transparent discussion 
of how the CFPB is collecting and using consumer data. Many of 
us have feared that the CFPB would eventually limit the ability of 
consumers to choose the financial product that best suits their indi- 
vidual needs. However, the prospects of the CFPB watching a con- 
sumer’s every financial decision could be troubling. 

I now yield to Representative Maloney for the purpose of making 
an opening statement. 

Mrs. Maloney. Thank you. Chairwoman Capita, and welcome to 
Mr. Antonakes, the Acting Deputy Director of the CFPB. Thank 
you for being here. 

I would like to remind my colleagues that it was insufficient 
oversight of many financial institutions and the lack of oversight 
of others that led to the financial crisis. By all accounts, the data 
wasn’t there to make good judgments about what was happening 
to our economy. Data-driven decisions are absolutely critical to 
making informed and intelligent determinations about the impact 
of financial products and their impact on consumers and the broad- 
er economy, and to improve the supervision of financial institu- 
tions, including those firms like debt collection companies and pay- 
day lenders that have gone largely unregulated until now. We 
know that industry uses data to make decisions and market prod- 
ucts. The CFPB should use and have access to the same informa- 
tion to protect the overall economy and to protect consumers. 

I would like to note that there have been no objections, to my 
knowledge, to the CFPB’s work from the privacy groups, those 
groups whose goal is to protect the privacy of consumers. In fact, 
I ask unanimous consent to place in the record a letter from pri- 
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vacy and consumer ^oups in support of the CFPB’s use of data. 
It came in this morning, and it includes the Center for Digital De- 
mocracy, Consumer Action, the Consumer Federation of America, 
the Consumer Watchdog Privacy Rights Clearinghouse, Privacy 
Times, and USPIRG. They are supporting the use of data and the 
collection of it. 

And may I place this in the record. Madam Chairwoman? 

Chairwoman Capito. Without objection, it is so ordered. 

Mrs. Maloney. Thank you so much. And I think that it is impor- 
tant that we are having this hearing, because it allows the com- 
mittee to examine how the CFPB is carrying out both its mandate 
to protect a data-driven agency and its mandate to protect the pri- 
vacy of consumers and the confidentiality of the information that 
it collects. 

The more data the Bureau has, the better informed it is when 
it writes rules. We also, however, have to ensure that the privacy 
of consumers is properly protected. The key will be striking the 
right balance between the need for sufficient data and the need to 
protect consumers’ privacy. 

The Bureau has done a good job so far in using data analysis to 
protect consumers and to inform policymakers. For example, in 
April CFPB Director Cordray — the Bureau needed the authority to 
collect and analyze data to publish its report on the effects of the 
CARD Act, a bill that I authored and that I am very close to. And 
I was very, very encouraged when the Bureau found that the 
CARD Act has delivered significant benefits to consumers. That is 
important. This kind of information is helpful for policymakers, be- 
cause now we know which approaches to regulation work and 
which approaches don’t work. 

Turning to its second mandate, it is important to remember that 
when Congress authorized the CFPB to collect data in Dodd-Frank, 
it included numerous safeguards designed to protect consumers’ 
personal privacy and to prevent the misuse of confidential informa- 
tion. For example, while the Bureau has the authority to collect 
data to inform its rule-writing. Congress specifically prohibited the 
Bureau from collecting data for the purpose of analyzing personally 
identifiable financial information. 

In fact, it is my understanding that the information and who the 
person is, is completely divided so that you can’t even get at that 
kind of information without going to a second step. Congress re- 
quired the Bureau to establish and comply with separate rules re- 
garding the confidential treatment of personal information that it 
collects. Even when the Bureau is sharing information with its fel- 
low bank regulators. Congress specified that the Bureau can only 
do this, “subject to the standards applicable to Federal agencies for 
protection of the confidentiality of personally identifiable informa- 
tion.” 

Not only do other banking regulators often purchase data from 
the same outside vendors as the CFPB, but other banking regu- 
lators also collect far more data from financial institutions than the 
CFPB does. For instance, in order to prepare the annual stress 
tests for the largest banks, the Federal Reserve requires these 
banks to hand over significantly more information than they have 
to submit to the CFPB. 
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When the Bureau purchases data from outside vendors or col- 
lects it directly from financial institutions, the Bureau rigorously 
follows its privacy and confidentiality mandate. And that is very 
important. 

Finally, I would like to point out that despite all the talk about 
the CFPB allegedly being unaccountable, this is the 38th time that 
a CFPB official has testified before Congress, and we welcome him, 
and I look forward to his testimony. 

And I yield back. Thank you. 

Chairwoman Capito. Thank you. Mr. Duffy for 2 minutes. 

Mr. Duffy. Firstly, I thank the chairwoman for holding this very 
important hearing. I think it is important that America knows the 
kind of information the CFPB is collecting on them. 

Some of my friends across the aisle will say that the more data 
that the Bureau has, the more data that our government has on 
American citizens, the better off we are, the safer we are. But if 
you look at the past several months, Americans have found out far 
more information about what their government is doing in regard 
to collecting information on them, whether it is the NSA or the 
IRS. 

Many of my constituents are concerned that our government has 
their health records, their phone records, their Internet records, 
their e-mails, and now the CFPB is monitoring their financial 
records. And we have a concern about our constituents’ right to pri- 
vacy in regard to the information that the CFPB or others collect 
in regard to their very private financial transactions. 

My concern here is that much of the information that we re- 
ceived about your data collection or your monitoring of financial in- 
formation has come from news reports or from Freedom Watch’s re- 
quirement for freedom of information. And our concern is that you 
have been less than forthright about saying, “This is what we are 
collecting, this is who we are collecting it from, this is how long we 
are keeping it, and this is what we are using it for.” 

Frankly, there has been a veil of secrecy around the collection of 
data at a time when the agency, as it is ramping up, has made a 
pledge to Congress and to the American people to be open and 
transparent. I believe that the agency or the Bureau should lead 
by example. 

If you want to collect information about Americans’ financial 
transactions, if you want to monitor their financial transactions, 
you should make a request to them, ask for their permission to col- 
lect that data, but you shouldn’t collect it without their permission. 
I yield back. 

Chairwoman Capito. Mr. Scott for 3 minutes. 

Mr. Scott. Thank you very much. Madam Chairwoman. 

This is a very timely hearing. The Nation’s attention is riveted 
on this whole issue of monitoring and surveillance. And I think it 
is very important that we have a very clear explanation, a clear un- 
derstanding from the CFPB, and answer each of these charges — 
and they are charges coming from the other side. And this is 
healthy. This is what American democracy is all about. 

Let me just remind everyone why we have the CFPB. The CFPB 
was put in the Dodd-Frank Act to protect consumers. You cannot 
protect consumers without the capacity of gathering information. If 
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you limit that capacity of the CFPB, it is sort of like cutting the 
legs out from under them and then condemning them for being a 
cripple. 

This is an opportunity for us to let our light shine in this Finan- 
cial Services Committee and get down to the truth of the matter. 
And I urge my colleagues on the other side to not use this in scor- 
ing political points for one side or the other, but let’s score some 
points for the American people and let us shed some light on the 
fact that this CFPB needs to be able to gather information and 
data to protect our public from unscrupulous lenders, and to help 
make sure we stabilize our financial system. 

And the other matter is to deal with how we deal with the reach 
of the data information overseas. We are no longer just here in the 
United States. Our economy is worldwide. How do we interface the 
collection of our data and information in that way? 

I think, to Chairwoman Capito’s concerns — which are legitimate, 
and I am glad that she and a couple of my colleagues brought it 
up — about this personal identification of information, let me make 
clear that at the very beginning, in Dodd-Frank, the law which cre- 
ated this, it totally forbids the collection of any data that can be 
personally identified by name, or by Social Security number. All of 
that is spelled out. It is there. They only have the same charge that 
our other regulators have, the Fed and others. And we are not talk- 
ing about that. 

So I just want to make sure we understand that we have some 
serious, serious questions to ask here. I want to take the oppor- 
tunity to do so. And I do understand the concerns of the other side, 
and I respect them, and I think there are legitimate points that we 
have to make sure we get an answer to, from you, Mr. Antonakes. 

Thank you. 

Chairwoman Capito. Mr. Pittenger for IV2 minutes. 

Mr. Pittenger. Thank you. Madam Chairwoman. Thank you for 
yielding me the time to address this vital issue regarding methods 
of data collection of the CFPB. 

The privacy of American citizens, whom we all have the responsi- 
bility of representing, is at stake. Over the past several years, we 
have learned how the IRS targeted conservative groups during the 
last Presidential election. We have seen the Department of Justice 
attack reporters for upholding the First Amendment and how one 
individual can inflict immense damage on our national security ap- 
paratus with NSA data. And now we observe how the CFPB is 
monitoring and collecting data on millions of Americans with the 
use of their credit cards, mortgages, and their checking accounts. 

The recent Bloomberg articles from this past April state how the 
CFPB has already targeted at least 10 million Americans in their 
quest for this private information. The CFPB is obtaining this in- 
formation in two different ways: by putting pressure on banks 
under certain Dodd-Frank provisions; and by acquiring it from out- 
side sources. In the wake of what has happened in the IRS and the 
Department of Justice, the CFPB should exercise extreme restraint 
with their enormous power. The American people are very hesitant 
with government overreach, and these new policies could easily fall 
into the same abusive actions as other Federal agencies. 
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The questions being addressed here today go to the heart of 
American liberty and freedom. And I do look forward to the an- 
swers. Thank you. 

Chairwoman Capito. Thank you. 

I would like to yield 214 minutes to the ranking member of the 
full Financial Services Committee, Ms. Waters from California. 

Ms. Waters. Thank you very much. 

The Consumer Financial Protection Bureau fully opened its doors 
on July 21, 2011. Today, it is just shy of 2 years old. In the months 
before the agency officially opened, members of the transition team 
testified before Congress 7 times. As it was a young agency being 
built from the ground up, that may have been necessary. In addi- 
tion to the 7 times the CFPB has been called to Congress to testify 
prior to its opening in July 2011, CFPB officials have been called 
up to testify in Congress 31 times, more than once a month. 

During that time. Director Cordray’s nomination has been held 
up by a Senate minority who claims they want to improve an agen- 
cy whose creation most of them never supported in the first place. 
Now, it makes good sense for Congress to perform oversight of gov- 
ernment agencies, but at some point, it may be appropriate to con- 
sider whether oversight has become a disguise for harassment. 

However, in the last 2 years, when the CFPB has not been sit- 
ting in a committee room, they have been hard at work. In addition 
to setting up a brand-new agency, the first of its kind, and issuing 
regulations that are directed by the Dodd-Frank Act, they have 
been tirelessly enforcing the laws Congress passed to protect con- 
sumers. The CFPB has recovered over $400 million for 6 million 
American consumers who were the victims of predatory financial 
practices. 

Today, the committee has gathered to talk about the CFPB’s 
data collection practices. We share your concern that this data be 
treated carefully by regulators, credit-reporting bureaus, data 
aggregators, and financial services providers to protect the privacy 
of consumers. We would note that Section 1022 of the Dodd-Frank 
Act specifically bars the CFPB from gathering or analyzing person- 
ally identifiable financial information of consumers. 

It is clear that the CFPB has a duty to protect not just the con- 
sumers’ choices, but also their privacy. It is unclear to me if any 
legitimate consumer or privacy advocates have raised concerns 
about the CFPB’s data collection practices thus far. However, it is 
clear that access to this data is vital to the CFPB’s mission of pro- 
tecting consumers. 

If we are going to expect the CFPB to create a level playing field 
for consumers, they are going to need to have at least the same 
level of access to information about consumers as the largest banks 
and financial services providers have. That same data will also 
allow them to emulate other regulators, like the FDIC and the Fed, 
which provide markets with important consumer banking data and 
will be a tool for identifying bad lending practices before another 
crisis happens. 

I strongly support the Consumer Financial Protection Bureau 
and think they have been doing an excellent job on behalf of the 
consumers. And I look forward to the witness’ testimony. I yield 
back the balance of my time. 
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Chairwoman Capito. Thank you. Mr. Fitzpatrick for IV2 min- 
utes. 

Mr. Fitzpatrick. Thank you, Madam Chairwoman. 

Today’s hearing is, I think, very timely. Events in the news have 
focused the American people’s attention on the very important sub- 
ject of privacy and government surveillance. Data collection and re- 
search is not a bad thing. In fact, it is the sort of diligence that 
we would expect of our regulators. 

However, just because a government agency has good intentions 
or a benevolent-sounding name doesn’t mean Congress should just 
look the other way while tens of millions of Americans are having 
their financial history gathered up and stored. 

Just as the Dodd-Frank Act gave the CFPB the authority that 
it is now exercising to collect this data, the law also put some very 
specific constraints on this activity. Recent stories involving the 
NSA have demonstrated that the American people and Members of 
Congress have every reason to be suspicious of so-called metadata 
gathering, and any analysis of that. 

We don’t just need assurances that there is nothing potentially 
harmful or invasive going on. We need maximum transparency to 
ensure it beyond any doubt. The CFPB must do more in this re- 
gard. 

The right to privacy is not an inconvenient matter that can just 
be swept aside when it hinders government investigations. It is a 
constitutional right that deserves the highest levels of protection. 
Privacy and freedom from unwarranted surveillance are funda- 
mental to our individual liberties, and we cannot allow any tres- 
pass on these hard-fought principles, so I appreciate the chair- 
woman’s work on this matter, and I look forward to the hearing. 

Chairwoman Capito. Thank you. 

Our final opening statement will be from Mr. Luetkemeyer for 
IV2 minutes. 

Mr. Luetkemeyer. Thank you. Madam Chairwoman. 

For the past several months, American citizens have been made 
aware that the IRS has targeted specific organizations based on po- 
litical activities. We have witnessed a significant leak from a pri- 
vate contractor who exposed classified and protected documentation 
showing a broad abuse of current law. We continue to see the po- 
tential for personal information to be misused and compromised by 
the government. 

And now we learn that the CFPB, an agency that has always 
touted itself as being transparent, could be collecting and storing 
individualized information on potentially millions of Americans. 

Despite the self-professed claims of transparency and consumer 
protection, the CFPB has proven to be unwilling to show how much 
individual data it is collecting, the level of detail of the information 
it is collecting, the number of people who have access to this data, 
or which foreign nations may have access to the information. 

The simple fact of the matter is that the CFPB could very well 
be jeopardizing consumer protection instead of ensuring it. It is 
time for the CFPB to answer questions and allow for the trans- 
parency it claims to value as an organization. I look forward to 
learning more about the activities of the CFPB, and I hope that our 
witnesses will be forthcoming and affirmative. 
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With that, Madam Chairwoman, I yield back. 

Chairwoman Capito. The gentleman yield backs. 

I would like to introduce Mr. Lynch for the purpose of making 
an introduction. 

Mr. Lynch. Thank you. Madam Chairwoman. I appreciate the 
courtesy. And I thank the ranking member, as well. 

I would like to take this opportunity to welcome — on behalf of 
Mr. Capuano and I; Mr. Capuano is the senior Member of the Mas- 
sachusetts delegation on this committee, and he is in another hear- 
ing — Mr. Steve Antonakes, who is an over-20-year employee of the 
Division of Banking in Massachusetts. He spent almost 8 years as 
the head of our banking division in Massachusetts. As you know, 
in Massachusetts we have a long and strong tradition of banking 
regulation that is vigilant in the protection of consumers, while fos- 
tering competitive financial markets. So, Steve, thank you for com- 
ing to the committee and helping us with our work. And I look for- 
ward to your testimony. 

And again. Madam Chairwoman, I thank you for the courtesy. I 
yield back. 

Chairwoman Capito. Thank you. 

I would like to welcome our witness, Mr. Steven L. Antonakes, 
who is the Acting Deputy Director of the CFPB. Mr. Antonakes, 
you are recognized for a 5-minute statement. Thank you. 

STATEMENT OF STEVEN L. ANTONAKES, ACTING DEPUTY DI- 
RECTOR, CONSUMER FINANCIAL PROTECTION BUREAU 

(CFPB) 

Mr. Antonakes. Great. Thank you. Good morning. 

Chairwoman Capito, Ranking Member Waters, Ranking Member 
Maloney, and members of the subcommittee, thank you for the op- 
portunity to testify today about the fundamental importance of 
data analysis to the Consumer Financial Protection Bureau’s mis- 
sion to protect consumers. My name is Steven Antonakes, and I 
serve as the Acting Deputy Director for the Bureau. 

The Bureau is a data-driven agency, because Congress recog- 
nized that the Bureau cannot do its job of protecting consumers 
and honest businesses unless it understands the consumer finan- 
cial markets it oversees. The Dodd-Frank Act specifically directs 
the Bureau to gather market information pursuant to a variety of 
authorities and through multiple sources. Like other financial serv- 
ice regulators, the Bureau only effectively supervises markets 
which it understands. 

As required by Dodd-Frank, data analysis enables the Bureau to 
not only better protect and educate consumers, but it also enables 
the Bureau to coordinate with other regulators and craft tailored 
rules based on a careful examination of costs and benefits. The Bu- 
reau’s evaluation of this data also allows it to provide meaningful 
reports, as required by Congress, and to perform its consumer re- 
sponse function. 

In Fiscal Year 2012, the Bureau spent $7 million on obtaining 
data to support its mission. To place this into context, that com- 
prised 2.4 percent of the Bureau’s total budget. To date, the Bu- 
reau’s Fiscal Year 2013 data procurements total $3 million, or 0.6 
percent of the total budget. The Bureau makes every effort to col- 
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lect market data in an efficient manner with an eye towards reduc- 
ing the burden and cost on industry. The Bureau also makes every 
effort to safeguard and protect information that it does obtain. 

The Bureau collects and studies data to protect consumers 
throughout the United States in accordance with its statutory man- 
date, not to study any particular individuals. In an effort to mini- 
mize cost and burden on financial institutions, the Bureau relies on 
information it already has or that other regulators share. This 
practice is not only efficient, but also saves industry from providing 
the same information on multiple occasions. 

We may also acquire data from third parties and have already 
collected and compiled information. 

There were also instances where market participants and indi- 
viduals voluntarily submit data. For example, the Bureau has suc- 
cessfully tackled some of the unique problems facing military con- 
sumers based on data submitted to our consumer response office. 
The Bureau has helped servicemembers resolve issues with mort- 
gage servicers about permanent change of station orders and issued 
a report detailing the types of consumer financial hurdles 
servicemembers and their families experience. 

The Bureau is also committed to ensuring protection for con- 
sumers’ personal privacy. In the very limited cases where the Bu- 
reau obtains personally identifiable information, it stores and pro- 
tects that information, along with other confidential information 
and data, according to information security requirements that com- 
ply with applicable Federal laws and regulations. The Bureau pub- 
lishes a privacy policy on its Web site that sets forth privacy prin- 
ciples and steps that it takes to protect consumers’ personal pri- 
vacy. 

We at the Bureau are committed to delivering tangible value to 
American consumers. With that in mind, I would like to share 
some Bureau accomplishments where data has impacted our work 
and benefited consumers. 

$6.5 million: the amount returned to servicemembers who par- 
ticipated in the Military Installment Loan Educational Services 
(MILES) auto loan program and were misled about the fees they 
were charged and the true cost of their auto loans. 

50,000: the number of servicemembers who will get money back 
as a result of the Bureau’s supervisory and enforcement review of 
the MILES program. 

$432 million: the amount of money being refunded through Bu- 
reau enforcement actions to consumers who have been subjected to 
deceptive practices. 

6 million: the number of consumers receiving refunds because of 
2012 Bureau enforcement actions. 

More than 150,000: the number of complaints the Bureau has 
handled from consumers in every State across the country since the 
Bureau formally opened its doors in July 2011. 

28,000: the number of responses from experts and individuals im- 
pacted by student debt. This information enabled the report on stu- 
dent loan affordability. 

And 644: the number of colleges voluntarily adopting the finan- 
cial aid shopping sheet developed by the Bureau and the United 
States Department of Education. 
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Chairwoman Capito, Ranking Member Maloney, Ranking Mem- 
ber Waters, and members of the subcommittee, thank you for the 
opportunity to testify before you today. I will be happy to answer 
your questions. 

[The prepared statement of Mr. Antonakes can be found on page 
52 of the appendix.] 

Chairwoman Capito. Thank you, Mr. Antonakes. I will now rec- 
ognize myself for 5 minutes for the purpose of beginning the ques- 
tion-and-answer period. 

In my opening statement, I asked for specific numbers on how 
much data you are collecting and from how many individual con- 
sumers. Can you give me some specifics on that? You gave me a 
lot of numbers, but specifically on how many accounts you are col- 
lecting and monitoring? 

Mr. Antonakes. Thank you. Chairwoman Capito. The important 
thing for us is the data collection that we conduct serves the pri- 
mary mission of the Bureau, and that is to protect consumers. 

Chairwoman Capito. Right, so how many — 

Mr. Antonakes. The vast majority of data that we collect is 
anonymized and does not include personally identifiable informa- 
tion. And that goes for all the data that we purchase and data 
that — 

Chairwoman Capito. And for how many accounts is that? How 
many accounts is that? If it doesn’t have any personally identifiable 
information, what is the number? That is what I am trying to get. 

Mr. Antonakes. I don’t have the exact number. We will be 
happy to follow up with you on what the number is, but we do look 
at a substantial amount of data in order to understand the markets 
and determine where risks may lie. 

Chairwoman Capito. Right, so — 

Mr. Antonakes. The only instances in which we will take in per- 
sonally identifiable information would come through one of two 
channels. The first would be when consumers affirmatively reach 
out to us through our Consumer Response hotline and are seeking 
our help in resolving a complaint. The only other circumstance is 
when we are using our supervisory tool, conducting examinations 
of the banks, the credit unions, and the nonbanks under our juris- 
diction. The Bureau conducts examinations in the same fashion 
that all of the prudential regulators and State regulators do. 

And in that instance, that work is what has resulted in our abil- 
ity to refund significant amounts of monies to consumers. We are 
seeking data to understand markets and to protect consumers. 

Chairwoman Capito. Right. 

Mr. Antonakes. We are not seeking data to monitor individual 
Americans. 

Chairwoman Capito. Okay. So in your strategic plan, you men- 
tioned that you were going to maintain a credit card database cov- 
ering 80 percent of the credit card market, correct? That is in your 
statement. 

Mr. Antonakes. Correct, yes. 

Chairwoman Capito. And so that would be over 900 million ac- 
counts. It seems to me, if you are looking for trend lines, 80 per- 
cent — I took statistics when I was in school 150 years ago — you 



11 


don’t need 80 percent of the market to figure out what the trend 
lines are. 

Let me ask you this. You mentioned, too, $7 million for obtaining 
data. This year, $3 million for obtaining data. Is that the amount 
of money that the CFPB has paid to private contractors for obtain- 
ing financial data? 

Mr. Antonakes. I believe that to be correct, yes. 

Chairwoman Capito. That is correct? 

Mr. Antonakes. I believe that to be correct, yes. 

Chairwoman Capito. Okay. What kind of proper background in- 
vestigations do these private contractors have to be able to han- 
dle — we have already learned about somebody taking a thumb 
drive in and exposing national security secrets. What kind of pre- 
cautions do you require for your private contractors? 

Mr. Antonakes. We do vet the contractors. Moreover, it is writ- 
ten into our contracts that they have to abide by the Privacy Act 
and comply with all of the laws. They also have the safeguards that 
we would have if we were collecting that data on our own behalf 

Chairwoman Capito. And then you mentioned, too, that you data 
share with the other regulators so you are not duplicating this. Can 
you tell me, from an institutional standpoint, we have heard 
anecdotally about a lot of institutions which are having to data 
dump to everybody and they are wondering what happens with all 
this data. So you are telling me that all the repetitiveness and re- 
dundancy is out of the system? That is not what we are hearing 
anecdotally from the institutions which are regulated by you and 
others. 

Mr. Antonakes. That is a great question. I think, in many re- 
spects, it gets to the kind of new relationships we continue to fur- 
nish with our sister regulatory agencies. We certainly want to en- 
sure that, to the extent we are both seeking information, we are 
coordinating together. It is far better for us to share that informa- 
tion directly with the Federal agencies than to make a repetitive 
data request of a financial institution. 

Moreover, our examiners are instructed that if the institution 
tells our examiners that they have already provided very similar 
data to another agency, they should accept that data in lieu of a 
second data request. If there is other data that the institution has 
run for its own purposes, that would essentially provide what we 
need, they should accept that. 

Chairwoman Capito. So would you say that is more of a work 
in progress, where the coordination — 

Mr. Antonakes. I would say it is a transitional issue that has 
gotten better over time and will continue to do so. 

Chairwoman Capito. Okay. How long do you store data for when 
you collect it, say, in 2013? How long does it stay a part of the sys- 
tem? Is it in the cloud? Or where is this data? 

Mr. Antonakes. We are in the process of developing and getting 
approved, through the National Archives, our data destruction 
schedules. They have not been approved as of yet. We want to 
make sure that the data is appropriately safeguarded and that we 
are taking it off our systems in appropriate periods of time. 



12 


Chairwoman Capito. So basically what you are saying is that 
you are still holding the data that you have originally collected, be- 
cause you don’t have a data destruction plan, correct? 

Mr. Antonakes. That is correct. 

Chairwoman Capito. Correct. All right. 

Mrs. Maloney? 

Mrs. Maloney. I thank the chairwoman. And I believe the chair- 
woman raised some important points about, really, coordinating 
with other agencies on what data is collected. In preparing for this 
hearing, I was reading documents which said that other agencies 
collect far more data than the CFPB does. It would be interesting 
to see a breakdown of who is collecting what, how it is being coordi- 
nated, and I would like to join the gentlelady in the request to the 
GAO to do such a report. I think it could be helpful in policy and 
going forward to see who is collecting what data, how could they 
share it better, streamline it, and I think that is something we 
could work on. 

My colleague, Mr. Lynch, pointed out that you served under Gov- 
ernor Romney as the superintendent of banks, and you also served 
during the financial crisis of 2008. Could you comment on your ex- 
periences? Did the State of Massachusetts have sufficient data to 
help with this crisis, to help the consumers, help the economy, help 
the State? 

Mr. Antonakes. Thank you. Ranking Member Maloney. We did 
have the advantage, as Congressman Lynch pointed out, of having 
very strong consumer protection laws in Massachusetts. However, 
we were significantly disadvantaged, in my mind, by the lack of 
data that we had at our disposal. I think the financial crisis some- 
what brings that to light. 

We were busy during that period of time implementing previous 
State legislation on predatory lending, and adopting regulations to 
deal with abuses that occurred in the refinance market. 

Mrs. Maloney. So I see that basically you could have protected 
taxpayers’ monies more if you had more data. Is that a fair state- 
ment? 

Mr. Antonakes. Yes, I think we were responding to the earlier 
issue without the data to see that the abuses had shifted to the 
purchased money markets. 

Mrs. Maloney. Also in your testimony, you said that you super- 
vised — or your Bureau did — the return of $6.5 million to 
servicemembers who had been harmed by unscrupulous lenders. 
Can you talk a little bit more about this case and how the collec- 
tion of data enabled the Bureau to help nearly 50,000 men and 
women in the armed services and the distinction of what you said, 
farming data to come up with policies for credit cards and over- 
draft, and how that is different from how you helped these 50,000 
servicemembers? 

Mr. Antonakes. Certainly. So this case really stemmed from two 
sources for us, complaints filed with our Consumer Response divi- 
sion, as well as examination activity that we did: digging into their 
records; digging into the files; and digging into information that led 
us to conclude that unfair and deceptive acts and practices had oc- 
curred. A number of servicemembers were being charged more than 
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was disclosed to them in their automobile loans. Data also allowed 
us to identify those servicemembers who would be reimbursed. 

Mrs. Maloney. I believe that my colleagues on both sides of the 
aisle have raised the importance of privacy. Not only do you need 
the data, but we need to protect the privacy of consumers. And, 
again, I refer to the letter that came in from seven consumer 
groups saying that they applaud the efforts of the Bureau in col- 
lecting this data and that these safeguards are in place. 

Because this is such an important issue, I would like to request 
if we could do an on-site visit to the CFPB and see how the data 
is secured, how it is done; seeing is believing. And I think no mat- 
ter how much that you tell us that it is secure and the consumer 
is protected, I feel that this would be something that could be help- 
ful. 

Do you think that would be beneficial? Could we do such a visit, 
off-site visit? 

Mr. Antonakes. We would be honored to welcome any members 
of the committee or the Congress to come to our facilities. 

Mrs. Maloney. I have no further questions. I yield back. 

Chairwoman Capito. Thank you. 

Mr. Duffy for 5 minutes. 

Mr. Duffy. Thank you. Madam Chairwoman. 

I want to follow up on a question from Chairwoman Capito in re- 
gard to, how many Americans are you collecting data on? How 
many Americans are you monitoring? You said you would get back 
to the committee, but can you give us a range? Because we have 
read reports that it is 10 million Americans who are being mon- 
itored or have data being collected on them. What is the range? 

Mr. Antonakes. Congressman, we are not monitoring any indi- 
vidual Americans. We are collecting broad data on markets to un- 
derstand how varied markets work. 

The PIT is constrained to the extent that we are fulfilling our 
consumer response mandate, as well as our examination mandate. 

Mr. Duffy. I am asking you a question about a range, then, of 
how many Americans have their data collected by the CFPB. How 
many? 

Mr. Antonakes. I can get back to you with precise numbers, but, 
again, I feel — 

Mr. Duffy. I am not asking you — 

Mr. Antonakes. — the need to point out that we are collecting 
broad data that is desensitized, does not include specific informa- 
tion about Americans. 

Mr. Duffy. I know. Reclaiming my time, I know that. But I want 
a range of how many Americans have their data sampled or col- 
lected by the CFPB. What is the range? Is it 10 million? Is it more 
than 10 million, less than 10 million? What is it? 

Mr. Antonakes. I can — 

Mr. Duffy. You have to know a range. 

Mr. Antonakes. I can — Congressman, I am happy to provide you 
a granular breakdown of what that looks like. I don’t have that in- 
formation in front of me at this moment. But, again, I do think it 
bears repeating — 
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Mr. Duffy. But you don’t — reclaiming my time — know a range of 
the number of how many people have their data collected by the 
CFPB? You don’t know that range today? 

Mr. Antonakes. I couldn’t give you an accurate range. 

Mr. Duffy. You couldn’t. Okay. And what is your position, again, 
at the CFPB? 

Mr. Antonakes. I serve as both the Acting Deputy Director, as 
well as the Associate Director for Supervision, Enforcement, and 
Fair Lending. 

Mr. Duffy. Don’t you think that Americans would expect you to 
know at least the range of how many citizens are having their data 
collected by your agency? And you can’t even give us a range. Is 
it more than 10 million? Less than 10 million? 

Mr. Antonakes. Congressman, the data collection activities that 
occur at the Bureau virtually mirror the data collection activities 
that occur at other prudential regulators. And, again, our sole pur- 
pose here is not to study Americans — 

Mr. Duffy. I will reclaim my time. I appreciate that you can’t 
give us a range. 

In regard to the length of time in which you store the data, you 
are working with the National Archives Records Administration. 
Have you made a request for a length of time to keep this financial 
data on Americans? 

Mr. Antonakes. I believe there are a number of different ranges 
based upon the types of information that we are gathering. 

Mr. Duffy. How long can you keep the data or is the request to 
keep the data? 

Mr. Antonakes. I will have to confirm this with you. Congress- 
man. I believe the request is 10 years. 

Mr. Duffy. Ten years. 

Mr. Antonakes. I believe so. 

Mr. Duffy. A lot of us are involved in politics. And we see a lot 
of polling, whether it is with regard to our own races, other races, 
the President. It is sampling of data. Why can’t you sample data? 
Why are you collecting massive amounts of financial data on Amer- 
icans and potentially keeping it for years, up to 10 years? Why 
don’t you just sample data to extract the information that you need 
to make good rules and regulations? 

Mr. Antonakes. I believe it is important for us to have whole- 
some data to truly understand these financial marketplaces. I also 
believe it is important to have the data for a number of years so 
that you can do market analysis and look at trends over a period 
of time. We are still learning, I would say, in many respects, the 
impact on Americans of the financial crisis. 

Mr. Duffy. And I know that the Bureau has made a pledge to 
be transparent and open. Will you commit to sending us all the 
contracts that you engage in with third-party vendors? Will you 
send those to us? 

Mr. Antonakes. We are happy to provide the contract informa- 
tion to you. 

Mr. Duffy. Thank you. And I know that you send a request to 
financial institutions to collect data from them, as well. Will you 
share those letters with the committee that you send to financial 
institutions requesting data from them? 
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Mr. Antonakes. To the extent that we are requesting data from 
financial institutions, it is under our confidential supervisory exam- 
ination program. 

Mr. Duffy. Let me read a quote to you, and tell me if you know 
who said this: “Transparency is at the core of our agenda, and it 
is a key part of how we operate. You deserve to know what the new 
Bureau is doing for the American public and how we are doing it.” 
Do you know who said that? 

Mr. Antonakfs. I am guessing perhaps it was either Director 
Cordray or — 

Mr. Duffy. Senator Warren. 

Mr. Antonakfs. — Senator Warren. 

Mr. Duffy. Yes. So in that vein, why don’t you share that infor- 
mation with the American people? If you are taking data from 
Americans, why don’t you share the request for the data? 

Mr. Antonakfs. We don’t share the request for the data to the 
extent that we are doing it through our confidential supervisory 
program because our mission there is solely to protect consumers, 
and no other agency has to make that request. To request that in- 
formation during the course of an examination — 

Mr. Duffy. So reclaiming my time, in regard to protecting Amer- 
icans, I know you are not dealing with terrorists, like the NSA. You 
are dealing with financial data. Don’t you think it is appropriate 
that you ask for permission and consent of Americans before you 
take their data? Shouldn’t you ask them and get their permission? 

Mr. Antonakfs. I think, in the course of an examination, which 
happens on a routine basis, if we were to ask, it could conceivably 
cause reputational damage to the institutions that we are exam- 
ining. 

Mr. Duffy. I yield back. 

Chairwoman Capito. The gentleman’s time has expired. 

Ms. Waters for 5 minutes. 

Ms. Waters. Thank you very much. 

Congresswoman Maloney asked about your past experiences in 
Massachusetts and whether or not you had been involved in data 
collection and was it helpful to you as a State banking regulator, 
I believe. Let me just ask, do banks and credit card companies have 
access to this data? 

Mr. Antonakfs. Yes, they do. 

Ms. Waters. What do they do with it? 

Mr. Antonakfs. They collect it on a regular basis. They use it 
for marketing purposes, for benchmarking, and other internal re- 
views of the efficiency and effectiveness of the products and serv- 
ices that they offer. 

Ms. Waters. And so if banks and credit card companies have ac- 
cess to this data, is the suggestion here that the consumer protec- 
tion regulator should not have it? Is that what you are being 
asked? 

Mr. Antonakfs. I am not sure what the motivation of the ques- 
tion is. Ranking Member Waters. We believe we are seeking only 
the information that industry has that will allow us to conduct our 
job, to understand these markets, and understand where risks lie 
for consumers. 
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Ms. Waters. Let me just ask, we have gone through a financial 
crisis, starting in 2008, and this crisis, of course, was created in the 
financial services community by many of the initiators of mort- 
gages, et cetera. Would it have been helpful to have more data to 
be able to address this problem that we were confronted with? 

Mr. Antonakes. It certainly would have been helpful, yes. 

Ms. Waters. And so, again, if the very agencies or financial serv- 
ices agencies or companies — whatever you want to call them — if 
they had access to this data and we don’t, and they created the 
problems that we face with the subprime meltdown, doesn’t that 
put us at a great disadvantage of trying to do oversight and regula- 
tion? 

Mr. Antonakes. Ranking Member, I believe regulators are at a 
substantial disadvantage if they don’t have the information that 
regulated entities have, yes. 

Ms. Waters. Thank you very much. I yield back the balance of 
my time. 

Chairwoman Capito. Thank you. 

I would like to recognize Mr. McHenry for 5 minutes. 

Mr. McHenry. Thank you. Madam Chairwoman. 

The term, “personally identifiable financial information,” has the 
CFPB defined the meaning of that? 

Mr. Antonakes. So, Congressman, we would use the term that 
I think is more broadly defined, in terms of information that would 
allow you to identify the particular consumer. 

Mr. McHenry. Is there — 

Mr. Antonakes. We haven’t created our own separate and dis- 
tinct definition, no. 

Mr. McHenry. Okay, because in Dodd-Frank, there are two pro- 
visions that limit the CFPB’s authority to collect personally identi- 
fiable financial information. So is it the intent of the CFPB to per- 
haps have a rule defining that? 

Mr. Antonakes. There are several provisions in Dodd-Frank 
whereby we can collect information. There is one specific rule rel- 
ative to market monitoring that we have not utilized as of yet. We 
also obtain data through the purchase of commercially available in- 
formation, through voluntary data, through publicly available data 
such as the Census Bureau, through our supervisory program, as 
well as through our consumer complaint intake. Those are the 
means that we have used thus far to collect this data. 

Mr. McHenry. Yes, but, okay, so the PIT, what is that? Can you 
define that again? What does that stand for? 

Mr. Antonakes. Personally identifying information. 

Mr. McHenry. So that is very different than personally identifi- 
able financial information. Is it different than — 

Mr. Antonakes. I don’t believe it is. Congressman. 

Mr. McHenry. Okay. You don’t think it is different. So in your 
contract here, you have — we have this document. Judicial Watch 
got this from a Freedom of Information Act request that some of 
the data will contain sensitive personally identifiable information. 
So is the PIT different than what is banned in Dodd-Frank, which 
says the CFPB cannot get individual Americans’ data? 

Mr. Antonakes. We don’t believe that Dodd-Frank says we can’t 
collect PIT. 
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Mr. McHenry. Okay, well, I will follow up on that. So you don’t 
have a rule. Do you have any intention of writing a rule to define 
personally identifiable financial information? 

Mr. Antonakes. We don’t at this time, no. 

Mr. McHenry. So you wouldn’t have, perhaps, public input on 
the meaning of that, to give some assurances that you are not col- 
lecting individual data. So the personally identifiable information, 
would that include a person’s name? 

Mr. Antonakes. Again, I would say. Congressman, it would in- 
clude a person’s name. 

Mr. McHenry. It would? Okay. Would it include a person’s iden- 
tification number, like a Social Security number, maybe? 

Mr. Antonakes. Again, it would depend on the context in which 
the information was being collected. The definition of PIT would 
certainly include those things. It doesn’t mean we are necessarily 
collecting that type of information. 

Mr. McHenry. Okay. What about an address? Would an address 
be a part of that? 

Mr. Antonakes. Would an address be considered PIT? 

Mr. McHenry. Yes. 

Mr. Antonakes. Yes, sir. 

Mr. McHenry. Okay. So you have a person’s name, you have the 
person’s Social Security number, and address. What about ZIP 
Code? Not to be redundant, but would that be a part of the ad- 
dress? 

Mr. Antonakes. It could be. 

Mr. McHenry. Okay. So what about personal characteristics, 
like fingerprints or pictures? Is that prevented or is that included 
in the data? 

Mr. Antonakes. That would be considered PIT. We don’t collect 
that type of information. 

Mr. McHenry. Okay, okay, so no pictures. That is good. No fin- 
gerprints. What about property they own? 

Mr. Antonakes. Again, Congressman, if we were doing an exam- 
ination and we were looking at compliance with mortgage rules, 
during the course of an examination — 

Mr. McHenry. So, yes, like — 

Mr. Antonakes. — see the property during the course of an 
exam. 

Mr. McHenry. Yes, you would see the property, okay. What 
about employment information? 

Mr. Antonakes. Employment information? Again, perhaps dur- 
ing the course of reviewing a mortgage loan, conceivably. 

Mr. McHenry. Okay. What about medical information? 

Mr. Antonakes. No, sir. 

Mr. McHenry. No, sir? 

Mr. Antonakes. No. 

Mr. McHenry. Okay. So the fact that somebody is paying a bill 
to the hospital or has substantial debt owed to a hospital would not 
be included in this? 

Mr. Antonakes. During the course of an exam, conceivably. 

Mr. McHenry. So conceivably medical information, as well. 

Mr. Antonakes. But — 

Mr. McHenry. What about credit score? 
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Mr. Antonakes. Credit score conceivably, as well. 

Mr. McHenry. Okay. So this sounds to me like personally identi- 
fiable financial information. And this is a great concern at a time 
when people are worried about their privacy. So it seems to me you 
have no definition, no limitation on the type of data you can collect, 
or for how long you are going to collect it. 

Mr. Antonakes. Congressman, I would say only that to the ex- 
tent we are reviewing this type of information, it is through our su- 
pervisory process, through our consumer complaint process, and we 
are following the same process that has been run for years by other 
Federal and State regulatory agencies. I don’t believe we are plow- 
ing any new ground here. 

Mr. McHenry. You are not? 

Mr. Antonakes. No, sir. 

Mr. McHenry. This is no new ground? 

Mr. Antonakes. In terms of our supervisory program? I would 
say no. 

Mr. McHenry. So the fact that you want to hold nearly a billion 
credit cards and update them on a monthly basis and the people’s 
transactions — this sounds like dramatically new ground that your 
agency is taking. 

Mr. Antonakes. Other agencies — 

Mr. McHenry. With that, I yield back. 

Mr. Antonakes. — have collected credit card data before, sir. 

Mr. McHenry. On a monthly basis? 

Mr. Antonakes. Yes. 

Mr. McHenry. Updated monthly? 

Chairwoman Capito. The gentleman’s time has expired. 

Mr. Scott? 

Mr. Scott. Yes, thank you. 

I think it is very important for us to follow up on Mr. McHenry’s 
line of questioning, because I really believe he is getting to the 
heart of the matter. This information of which you get names, you 
could get their Social Security number, you can get their addresses, 
you can, in fact, get this personal identification information. Now, 
it is very important for you to very quickly explain to the — if Mr. 
or Mrs. America is watching this program, under what cir- 
cumstances is this done? How is it protected and insured against 
someone else getting it? 

And this is particularly true, because, yes, according to my infor- 
mation, you can get medical debt data. And I am interested to 
know how far that would go. Does it go all the way to the type of 
procedure, the type of treatment? Was it cancer? Was it — so how 
much of this personal data information are you collecting and why? 
And do you have the authority to do it now? 

And then, secondly, in order to make sure we have America’s 
confidence that none of this will leak out — because I will tell you, 
this is what I am concerned about. I am concerned about things 
like this little fellow who is rolling around from airport to airport 
trying to find a place to land, this — all of these leakers. And there 
are many of them out there and with the advanced technology of 
hacking. 

So I want you to kind of defend this position a little bit more, 
because we don’t want the American people to go away mis- 
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informed that you are collecting all this personal data when you 
say you don’t. 

Mr. Antonakes. Thank you, Congressman. Our statutory man- 
date, as you know, is to protect consumers. And to the extent we 
collect and analyze data, it is for the purpose of fulfilling our statu- 
tory mandate. We collect, investigate, and respond to consumer 
complaints. We conduct examinations to determine whether or not 
violations of consumer financial protection laws exist. 

Mr. Scott. Let me ask you, though, I am trying to get my hands 
around the quantity of this personal identification. How many have 
you gotten that fit this category? And how do you protect that per- 
sonal identification? We have to get an answer to that in order to 
maintain the credibility of the CFPB to know that it is going to be 
protected. I am not — I am just saying, there has to be a reason. 

Dodd-Frank outlaws it up to what the other Federal regulators 
do, like the Fed. Can they do the same thing? I am trying to give 
you a chance here to get out from under this accusation that I 
think Mr. McHenry very eloquently articulated here. I think this 
is a legitimate question that we have to get answered. 

Mr. Antonakes. Congressman, to the extent we collect PIT, it is 
exceptionally limited, generally through the consumer response 
process, as well as our supervisory process. This is very consistent 
with the way other regulators collect this information. 

Mr. Scott. Nothing you do is beyond what other regulators do 
in collection of that personal data? 

Mr. Antonakes. That is correct. And then we secure it, to the 
extent we have to collect it to do our jobs, we secure it on our sys- 
tems. There is very limited access to those systems. They meet 
FISMA standards, the Federal standards, and have received clean 
audits from GAO and the Fed and the CFPB Inspector General, in 
terms of those systems. 

Mr. Scott. So far, has the data security system you have been 
collecting, has it been breached? Have there been attempts to hack 
it? Do we have a fail-safe there? 

Mr. Antonakes. Congressman, to my knowledge, it has not. And 
I would say, again, we have standards in place that meet the re- 
quirements of existing Federal law. 

Mr. Scott. On the medical debt issue, I wanted to go back to 
that. On that information, do you also have information contain 
what that treatment was? This is very private. This is very per- 
sonal information. 

Mr. Antonakes. No, we don’t. 

Mr. Scott. So there is no diligence into what kind of procedure 
he had, what kind of disease, or anything else? That is totally un- 
acceptable? 

Mr. Antonakes. Correct. 

Mr. Scott. All right. Thank you, sir. 

Chairwoman Capito. Thank you. 

Mr. Luetkemeyer for 5 minutes. 

Mr. Luetkemeyer. Thank you. Madam Chairwoman. 

I guess I will follow up on Mr. McHenry’s questioning, as well. 
What are you trying to do whenever you monitor 80 percent of the 
credit card market? 
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Mr. Antonakes. We have a statutory mandate to understand the 
credit card market, as well as other financial marketplaces. We 
also have a congressional mandate to do a study on the effective- 
ness of the CARD Act. So to the extent that we are looking at this 
data — and, again, I need to emphasize that other agencies have 
similar processes in place whereby they look at credit card data — 
it is to fulfill those requirements, to understand the credit card 
market, understand where there may be inherent risk to con- 
sumers in that market, and also to inform the work we have to do 
as part of the CARD Act. 

Mr. Luetkemeyer. You are a former examiner, right? 

Mr. Antonakes. Yes. 

Mr. Luetkemeyer. I am also a former examiner. If we went into 
a bank or financial institution, you always cut on the loans to get 
a certain percentage, and you wouldn’t look at the lower loans. You 
would look at only the big loans, because that is where most of the 
risk was. 

Mr. Antonakes. Correct. 

Mr. Luetkemeyer. Why are you not doing that with credit 
cards? There is no — ^you are not looking at the risk situation there. 
You are monitoring habits. And I am not sure that the CFPB needs 
to be looking at the habits of consumers. They need to be looking 
for the risks that they are taking or some sort of risk that is inher- 
ent within the system of the credit card company or within the sys- 
tem of the credit card industry. 

Mr. Antonakes. Congressman, I think it is important to point 
out a couple of things. In terms of the credit card data collection, 
we do not receive data about individual purchase transactions. 
Moreover, we cannot identify specific cardholders. We can’t identify 
specific purchases. We don’t know the items they purchase, who 
purchased them, when they were purchased. We don’t look for that 
type of information. 

In terms of your questions on where you cut the line, you are ab- 
solutely correct. From an examination point of view, you are taking 
a sample, you are looking at a certain line, the higher risks. But 
to understand this on a more macro level, which is really our other 
function, the market monitoring function, to understand where 
risks may appear more broadly, that is where the more whole- 
some — 

Mr. Luetkemeyer. Okay. So why do you need the personal infor- 
mation, then, if you are just looking at macro prints? 

Mr. Antonakes. We aren’t collecting personal information on the 
credit card data collection. We are not looking — 

Mr. Luetkemeyer. What about the rest of the information? 

Mr. Antonakes. In terms of the exams, we could look for it con- 
ceivably in those circumstances to ensure that if consumers are 
being overcharged, they are being refunded. But the broader data 
collection that you are speaking of— 

Mr. Luetkemeyer. Okay, with regards to exams — 

Mr. Antonakes. — there is no PIT required. 

Mr. Luetkemeyer. With regards to the exams — 

Mr. Antonakes. Yes. 

Mr. Luetkemeyer. — you know what I am talking about when 
I talk about the pink pages or the informational — 
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Mr. Antonakes. Yes, I do. 

Mr. Luetkemeyer. — the information that is there on the stock- 
holders, major owners, as well as employees. Is that information 
taken by the CFPB? 

Mr. Ajsttonakes. We don’t include pink pages in our examination. 

Mr. Luetkemeyer. You don’t accumulate that information at all? 

Mr. Antonakes. We do not. 

Mr. Luetkemeyer. Okay. So, therefore, it is not given out to 
anybody else, either? 

Mr. Antonakes. We are not a safety and soundness regulator, so 
we don’t see the need to collect that type of information. 

Mr. Luetkemeyer. Okay. Well, that is good news. 

Mr. Antonakes. Okay. 

Mr. Luetkemeyer. But we do have concerns with regards to the 
rest of the information that you are giving out, because according 
to some information I have here, you are giving it out to, like, 
500 — do you have contracts with like 500 different groups to be 
able to give the information out to some folks through the FTC’s 
arrangement with their Sentinel Network? 

Mr. Antonakes. I believe you are referring to the extent to 
which we provide access to our consumer database to other State 
agencies. I would say that our consumer response database and the 
manner in which we share with other regulators really mirrors the 
FTC Sentinel program. 

So if there are other agencies — be it a State agency — that has 
comparable jurisdiction over one of the State-licensed non-bank en- 
tities that we may supervise or has supervision over a State-char- 
tered bank that we may supervise, then we believe they have the 
right to have this complaint information and perhaps — 

Mr. Luetkemeyer. Will they have the right to access your files, 
as well? 

Mr. Antonakes. They would access the complaint information 
that we have. That is what they have access to, the complaint, and 
they have to go through a diligence process and sign agreements 
with us before they can access that type of information. 

Mr. Luetkemeyer. Okay. So how many agreements do you have 
at this point? 

Mr. Antonakes. I would have to verify that for you. Congress- 
man, but, again, it is for other agencies with similar supervisory 
responsibilities. 

Mr. Luetkemeyer. Do you have agreements with other coun- 
tries? 

Mr. Antonakes. Not that I am aware of. 

Mr. Luetkemeyer. According to the data here with regards to 
the Sentinel Network, now you are — has that information been ab- 
sorbed by you or you have agreement with them? 

Mr. Antonakes. With the FTC? 

Mr. Luetkemeyer. Yes. 

Mr. Antonakes. I believe we have an agreement with the FTC. 

Mr. Luetkemeyer. Therefore, you have access to that informa- 
tion? 

Mr. Antonakes. I believe so, yes. 

Mr. Luetkemeyer. So, therefore, any other entity that has ac- 
cess to you has access to that information, as well? 
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Mr. Antonakes. I believe they would have to have their own. I 
don’t believe we are a pass-through. I don’t believe another agency 
can make an agreement with us and, therefore, get an agreement 
with the FTC. I believe they would have to do their own agreement 
with the — 

Mr. Luetkemeyer. Do you have any agreements with any for- 
eign countries to have access to your information? 

Mr. Antonakes. I will verify that for you. Congressman. I am 
not aware of any. 

Mr. Luetkemeyer. Okay. Thank you very much. I will yield 
back. 

Chairwoman Capito. Thank you. 

Ms. Velazquez for 5 minutes. 

Ms. Velazquez. Thank you. 

Mr. Antonakes, there is still, I guess, by the line of questions 
that you have heard here — understand there are a lot of critics who 
continue to argue that the Bureau’s collection procedures are too 
broad and burdensome. I just would like to hear from you what 
percentage of the data you collect must be obtained from market 
participants. And how would you counter the argument that busi- 
nesses are negatively impacted by this data request? 

Mr. Antonakes. Congresswoman, we receive information from a 
variety of sources. To the extent we can reduce burden on the in- 
dustry and collect it through third parties that already have that 
information, information that is already provided by the financial 
service companies, we try to use that information. To the extent it 
is in the public domain, we try to use that information, as well. 
And then in terms of our supervisory responsibilities, ensuring that 
Federal financial consumer laws are being followed, that is when 
we would make specific data requests of the banks, the credit 
unions, and the nonbanks that are specifically under our jurisdic- 
tion. 

Ms. Velazquez. And also, you have heard how much we care 
about the — securing the — and providing identity protection, and 
that issue would be one of the Bureau’s top priorities. One breach 
will erode public trust, and it will set back your research signifi- 
cantly. And I heard you saying that you are complying with Fed- 
eral laws and regulations in order to protect personally identifiable 
data. 

But beyond that, what additional steps are you taking to protect 
consumer privacy throughout the process, from collection to publi- 
cation? 

Mr. Antonakes. Yes, so we certainly do share this concern. And 
really, the best way we can ensure that we protect this information 
is to collect as little PIT as possible. And that is our first funda- 
mental goal. 

To the extent we do have to collect it, we store it accordingly. We 
significantly limit, to a need-to-know basis, who in the Bureau has 
access to that information, and we have significant security proto- 
cols built into our system, as well. Once our destruction schedules 
are approved, we will have the means of flushing this data out of 
our system as well, on a regular basis. 

Ms. Velazquez. Recently, Mr. Raj Date, the CFPB’s former Dep- 
uty Director, stated that the Bureau’s data analysis could lead 
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lenders to innovate in ways that cut consumer costs and help regu- 
lators create more efficient rules. Will you be able to elaborate on 
how data collection may lead to better regulation and more innova- 
tion in the financial markets? 

Mr. Antonakes. Well, certainly. Certainly, industry has collected 
this information for a number of years, and technology has en- 
hanced their ability to collect it, and it has led to a lot of innova- 
tion in the financial service marketplace, which ultimately has 
been good for consumers. 

Our use of this data collection is to understand these markets, 
to monitor these markets, and prioritize our limited resources ac- 
cordingly. That essentially is what we are trying to do with this in- 
formation. 

Ms. Velazquez. And you stated in your testimony that informa- 
tion is essential to protecting consumers from unscrupulous activ- 
ity, supervising the financial markets, and maintaining the sta- 
bility of the economy. Can you highlight some instances where your 
current data collection and analysis efforts have successfully pro- 
tected consumers? 

Mr. Antonakes. Sure. There are a number of circumstances in 
which the data collection we have done has resulted in us 
prioritizing resources in certain areas. To the extent that we have 
secured significant reimbursement orders against some of the large 
credit card providers because of unfair and deceptive acts and prac- 
tices related to add-on services, some of our most significant reim- 
bursements thus far have been the result of information coming in 
through our complaint channel, our understanding of the consumer 
credit card markets, and the actual examination of those physical 
consumer files at the credit card institutions. 

Ms. Velazquez. Thank you. 

Thank you. Madam Chairwoman. 

Chairwoman Capito. Mr. Pittenger for 5 minutes. 

Mr. Pittenger. Thank you. Madam Chairwoman. 

Dr. Antonakes, you have a very impressive resume. 

Mr. Antonakes. Thank you. 

Mr. Pittenger. You have served as commissioner of banks. You 
have been a voting member of the Federal Financial Institutions 
Examination Council, vice chairman of the Conference of State 
Bank Supervisors, governing boards of Nationwide Mortgage Li- 
censing System. You have graduated from very esteemed univer- 
sities. And I applaud you for that. 

You now are the number-two man in a very important agency, 
perhaps the most powerful ever in the history of this country. This 
agency now assumes all the responsibilities previously held by the 
Federal Reserve, the Office of the Comptroller of the Currency, the 
now-defunct Office of Thrift Supervision, the Federal Deposit In- 
surance Corporation, the FTC, the National Credit Union Adminis- 
tration, and the Department of Housing and Urban Development. 
That is pretty impressive. 

In many ways, you could say that your board manages the entire 
financial system of this country. You could be likened in ways to 
Joseph under the Pharaoh in Egypt. You are a powerful man. And 
you know that. It is a powerful agency. Wouldn’t you agree? 
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Mr. Antonakes. I thank you, Congressman. I am not sure I am 
quite as powerful as you described. We have — 

Mr. PiTTENGER. But let’s just set the stage that it is correct. 

Mr. Antonakes. We have inherited some of the responsibilities 
of those other regulatory agencies — 

Mr. PiTTENGER. But never have we had an agency that has had 
the power that is unchecked of — ^you are accountable basically to no 
one. You don’t go through appropriations. Isn’t this a very powerful 
agency? And yet the core of what we have been told is your trans- 
parency is going to be imprimatur of your agency. And right now, 
we have reports on the lack of that. 

Here is one memo that went out to keep your calendar entries 
brief in general. If possible, avoid annotating entries with agendas, 
detailed discussions, et cetera. The flyer also instructs employees 
to minimize attachments to your calendar appointments, consider 
using e-mail to send related attachments. 

You know the power you have. Is there a disconnect to you be- 
tween the power of this agency, its accountability to the American 
people, the transparency that it claims to have, and yet these kinds 
of e-mails that have been conveyed to its employees? 

Mr. Antonakes. Congressman, I don’t believe our agency is en- 
tirely different than in many other agencies. Several other agencies 
have a single director structure and none of the bank regulatory 
agencies that you referenced are subject to the appropriations proc- 
ess. 

We, in fact, are the only bank regulatory agency that actually 
has a hard cap on the ceiling of its budget. We have authority in 
the consumer protection laws that were transferred to us by Dodd- 
Frank. We also have significant responsibility to the American peo- 
ple and to the other regulatory agencies. We have to, by statute, 
coordinate our examination activities with those other regulatory 
agencies. We have to provide copies of our reports of examination — 

Mr. PiTTENGER. Yes, sir. I hear that. 

Mr. Antonakes. — for comment to those other regulatory agen- 
cies. 

Mr. PiTTENGER. My concern is, sir — 

Mr. Antonakes. So I do believe there are significant checks and 
balances — 

Mr. PiTTENGER. — that the power you have enables you to exer- 
cise it in any way that you feel is right for you. And the rights of 
the American people really are the foremost, aren’t they, and their 
privacy, and their consideration? You are collecting lots of data. 
And I think it is just a concern to this body, the accountability that 
you have to the American people and, frankly, back to the Congress 
of what you are doing with the data that you are obtaining and 
what role that you are going to play in ensuring that you are really 
transparent and that you are doing what is really in the best inter- 
est and what is really needed for the American people and not 
abuse the power, as we have seen in other agencies in this govern- 
ment. 

There is a no-confidence vote right now in government. You prob- 
ably are aware of that. And I would implore you to use the power 
that you have with full discretion. I yield back my time. 

Chairwoman Capito. The gentleman yields back. 
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Mr. Lynch for 5 minutes. 

Mr. Lynch. Thank you, Madam Chairwoman. 

And, again, I thank the witness for his willingness to help the 
committee. I do want to — just at the outset — point out some con- 
tradictions here. All of the parade of horribles, the evils that have 
been described by my friends on the other side of the aisle that 
might lurk within this agency that is charged with the mission of 
protecting consumers is now in the possession of private banks. 
And even more so, private banks, credit card companies, payday 
loan operators, you name it, they all go on these social network 
sites and they actually get the data that you are concerned that 
this agency might get. 

You have massive data-mining companies, data brokers like 
Acxiom and others. They actually sell this information that you are 
worried that this agency that protects consumers might have. The 
paradox there is that those banks are completely unregulated with 
respect to the conduct that they are undertaking and there are no 
checks and balances. 

In fact, a couple of weeks ago, we passed legislation that would 
allow those same banks that take that information without concern 
for privacy to work with affiliates and other countries that have 
that information, but that are outside the regulatory jurisdiction of 
the United States, that our consumers would be totally unprotected 
by your legislation. That is one paradox or one contradiction here 
today I want to point out. 

The second one is that, as each and every regulatory agency 
comes before this committee and others, there has been a debate 
here in Congress, driven by my colleagues in the Majority, that 
have required each and every regulatory agency to make sure that 
every regulation that they adopt, every rule that they adopt is sup- 
ported by data-driven, fact-based analysis of how they operate. 

So you have told these regulators that everything they do must 
be data-driven, everything they do must be fact-based, everything 
they do must be analyzed to prove that the costs do not exceed the 
benefits of that regulation. So you are requiring them on the one 
hand, last week, to get as much data as they possibly can, to make 
sure that their regulations are fact-based and in real time. And 
today, you are wringing your hands, saying, “Oh, my God, they are 
going after data.” Well, you can’t have it both ways. 

You are asking these regulators to base their decisions and regu- 
lations on data, data-driven analysis. And now, you are wringing 
your hands and saying, “Oh, we can’t do this.” 

I do want to mention that the Patriot Act, which was heavily 
supported by your side and some on our side, requires a lot of this 
information right off the top. And one of the principal premises of 
that legislation is to know your customer, for the banks to know 
their customer and to make sure that they aren’t allowing bad ac- 
tors to capitalize on the legitimate banking industry. 

Mr. Antonakes, I happen to work very closely with the Massa- 
chusetts regulators and the Boston office of the Fed. And during 
the housing crisis, I thought it was very helpful that the Fed could 
actually tell me how many homeowners — and they could give me 
the data by town, by county, by my congressional district — how 
many people were in arrears on their mortgages. They could tell 
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me how many people were in default. They told me how many — 
they could tell me how many people were in the foreclosure process 
and how many were going to he evicted, so we could target re- 
sources. 

And it was very different. I have 3 cities, 18 towns, and 720,000 
people in my district, and they were very helpful. That is a lot of 
data that they are getting already. How are you working with some 
of these other agencies? Some of these concerns are legitimate 
about making sure we don’t let this personal information get out 
there and he abused. 

But how are you coordinating with these other agencies that are 
actually scooping up this data, as well? And can we minimize the 
exposure and minimize the cost of doing what I would describe as 
due diligence, in terms of protecting consumers? 

Mr. Antonakes. Congressman, we do have information-sharing 
agreements with the other regulators, and we are not seeking to 
collect information which they already have. So to the extent that 
we can share it, we welcome that opportunity. It would reduce cost 
and burden on the industry. 

Mr. Lynch. Thank you. My time has expired. 

Chairwoman Capito. The gentleman’s time has expired. 

Mr. Lynch. I yield back. 

Chairwoman Capito. Thank you. 

Mr. Fitzpatrick for 5 minutes. 

Mr. Fitzpatrick. I thank the Chair. 

And I also want to say to the witness that we all appreciate your 
testimony here today. This subject matter is very sensitive to ev- 
erybody I know, everybody I represent back home in Pennsylvania, 
which is why this hearing is so important. 

News reports indicate that the CFPB is assigning an identifier 
to each individual and requiring that all data providers use that 
same identifier for each individual when submitting their data. Sir, 
is that true? 

Mr. Antonakes. I believe it is true, in terms of the credit card 
collection data. 

Mr. Fitzpatrick. For what purpose would the Federal Govern- 
ment need to track the financial habits of an individual consumer? 

Mr. Antonakes. We are not seeking to identify who the con- 
sumer is. We are not seeking to monitor individual purchases. But 
it does allow us to see trends over a period of time, in terms of bal- 
ances, in terms of interest rate, and in terms of impact. And that 
is really all we are seeking to do. 

We are not interested in individual American behavior. We are 
not interested in where they purchased their goods, what they are 
buying. We are simply interested in knowing over a period of time 
what happens with credit card balances. Do they go up? Do they 
go down? How are fees associated? How is the broader economy im- 
pacting those balances, as well? And this allows us to track that 
type of information. We have no interest whatsoever in identifying 
the specific individual who owns that card. 

Mr. Fitzpatrick. But if you are using identifier numbers on this 
data that is being collected, the amount of which you haven’t been 
able to really tell us today how much — and I certainly hope, sir, 
that you will follow up the questions where you had no specific an- 
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swers and provide that information to the committee — but if your 
Bureau is using identifying numbers to link data together, how is 
that not creating a consumer data file on individual Americans? 
Even if you don’t know who that American is, theoretically, you are 
linking data sets together through an identification number and 
you are building a consumer file on an individual. Is that not true? 

Mr. Antonakes. We are looking at individual loan level account 
information. That is correct, sir. But we are not seeking to deter- 
mine who that particular consumer is. That is the way that we can 
understand how these marketplaces are working. That is how we 
can basically determine where risks may lie and look at trends over 
a period of time, but we have no interest whatsoever in trying to 
determine or reverse engineer who that specific individual is. 

Mr. Fitzpatrick. Does that not mean, though, that the Bureau 
has a picture of the financial transactions at an individual level? 

Mr. Antonakes. The only information that we are collecting, to 
my understanding, is the interest rate, fees, previous balance, and 
new balance. 

Mr. Fitzpatrick. Madam Chairwoman, I will yield the balance 
of my time to Mr. Duffy. 

Chairwoman Capito. Mr. Duffy? 

Mr. Duffy. Thank you. Just quickly, I want to go back to some 
of the other questions that I have asked. What institutions, again, 
are you monitoring? You have nine of them, right, for financial 
data? 

Mr. Antonakes. In what respect. Congressman? 

Mr. Duffy. What institutions are you getting financial data 
from? 

Mr. Antonakes. We are looking and, through a variety of con- 
tacts, we take data from the institutions that are under our pri- 
mary jurisdiction, banks and credit unions, over $10 billion in as- 
sets, as well as nonbank — 

Mr. Duffy. So from all of them, you are collecting financial data? 

Mr. Antonakes. The extent of the data may vary based upon 
their business model and the type of operations they have. 

Mr. Duffy. Okay. And, again, you are not willing to provide the 
letters of request for that financial data to this committee, is that 
correct? 

Mr. Antonakes. The letters themselves are confidential super- 
visory information. We can perhaps discuss what — we could give 
you — 

Mr. Duffy. But don’t — 

Mr. Antonakes. — we could give you — 

Mr. Duffy. Don’t you think Americans have a right to know 
which financial institutions are providing you their financial data? 
Don’t you think that is an American’s right to say, listen, I know 
the government is collecting my data if I bank with X bank, and 
I know they give my credit card transactions to the CFPB? Don’t 
they have a right to know that? And why won’t you share that with 
us? 

Mr. Antonakes. So to the extent that is done. Congressman, it 
is done through our supervisory process, just as it is done with the 
Federal Reserve, the FDIC, the OCC — 

Mr. Duffy. That is not my question. 
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Mr. Antonakes. — ^bank regulators, as well. 

Mr. Duffy. But you are the Consumer Financial Protection Bu- 
reau. 

Mr. Antonakes. Right. 

Mr. Duffy. And you protect consumers. Do you think consumers 
would be more apt to bank with the institutions that you collect 
data on or less likely to bank with those institutions? 

Mr. Antonakes. I believe it is problematic. It would impact our 
ability to efficiently supervise institutions. 

Mr. Duffy. That is right. Because — 

Mr. Antonakes. And I also believe that it could have unintended 
consequences for institutions, as well. 

Mr. Duffy. That is right. Because Americans don’t want you to 
have their financial data. That is exactly right. That is the point. 
And so if they don’t want you to have their financial data, don’t 
take it. Or ask their permission. But you make the point for us. 
They don’t want you to have the data, and you are taking it any- 
way, under the auspices of the Consumer Financial Protection Bu- 
reau. You take their data, they don’t want you to have it, and you 
don’t care. 

I yield back. 

Chairwoman Capito. Mr. Heck? 

Mr. Heck. Thank you. Madam Chairwoman. I yield 2 minutes to 
the gentleman from Georgia, Mr. Scott. 

Chairwoman Capito. Mr. Scott? 

Mr. Scott. Yes, I have two points to make. First of all, in re- 
sponse to Mr. Duffy, for whom I certainly have great respect, but 
at the one point, he is trying to point out how we want to make 
sure information is secure and, on another point, we want to share 
it. You can’t do both. 

And I think what we are trying to get here is a delicate balance, 
where you get the information. And, again, I think it is very impor- 
tant to repeat that many of these requests for this personal data 
come from that individual reaching out to you. Is that not correct? 

Mr. Antonakes. Much of it does. Certainly, anything coming in 
through our consumer complaint hotline, 150,000 requests for help 
from every State in the country has affirmatively come to us from 
consumers. 

Mr. Scott. Right, no different from — you have the banking oper- 
ations, you have other operations, financial operations, get the 
same information. But my point is — there is one area we missed 
here that I think we need to clear up. There are third parties in- 
volved here. You have vendors, investigators going out and col- 
lecting this information. 

Can you tell us how our information is protected through these 
third parties? Where does that line come down? How do we protect 
information that these third parties are getting, that have con- 
tracts and were paid millions of dollars and are helping get the 
money to get back to the consumers? When do we wash their hands 
of this information so it doesn’t get out through third-party ven- 
dors? 

Mr. Antonakes. So, Congressman, any laws that we have to fol- 
low to protect consumer information they have to follow, as well, 
if we are engaging them specifically. 
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Mr. Scott. All right. Well, thank you. I want to take the time 
to thank the gentleman, Mr. Heck, for allowing me those 2 min- 
utes. Thank you. 

Mr. Heck. Thank you, sir. Thank you for your presence, your tes- 
timony, and your service to our country. 

I have the honor and privilege to represent a congressional dis- 
trict that includes Joint Base Lewis-McChord, the third-largest 
military installation in America. And as a consequence, I ask the 
following question: The proposal to require an opt-in on the part of 
individuals, would that affect the Bureau’s servicemembers’ office’s 
ability to protect members of the military and their families? 
Would it materially affect your ability to protect those members? 
And if so, can you describe briefly what that would look like? 

Mr. Antonakes. Congressman, thank you. It is something that 
I haven’t considered thus far, but I would say my initial reaction 
is it conceivably could impact our ability to protect servicemembers, 
as it would other consumers, as well. 

To the extent servicemembers are serving abroad, they may not 
have ready access to mail, and an opt-in could conceivably be dif- 
ficult in certain circumstances. It also — and this is really the broad- 
er concern, and I believe the other regulators would share this con- 
cern — the ability to efficiently examine institutions would be sig- 
nificantly impacted, and our ability to identify risks, our ability to 
identify violations of law, and most importantly, our ability to iden- 
tify who should be receiving refunds. 

In the case of the MILES program, which servicemembers should 
be receiving $6.5 million in refunds, in the case of our other activ- 
ity, over $425 million in additional refunds last year alone, as a re- 
sult of our ability to look at individual transactions in supporting 
information and data. 

Mr. Heck. So it would hurt your ability to protect members of 
the military? 

Mr. Antonakes. Yes, sir. 

Mr. Heck. Part of our frustration with this discussion is that it 
seems to offer a false choice between treasured and cherished val- 
ues of privacy and that of consumer protection. I am acutely sen- 
sitive to this as it relates to members of the military. And I just 
don’t think these — this is a zero-sum game and that these values 
are mutually exclusive. 

And I have to say, if I can get this out, yesterday I had the privi- 
lege to visit Walter Reed Hospital. I spent quite a bit of time in 
the amputation wing. And I observed a young man who had a dou- 
ble amputation up to and including his hips. And I observed him 
walking on prosthetic devices. 

I have no idea what the technology behind that is, which enabled 
him to do it, but I will tell you, I have never, ever observed the 
level of courage that I did in those young servicemembers. And I 
don’t want to do anything that sacrifices our ability for you to pro- 
tect those servicemembers and those who put themselves in harm’s 
way. And I don’t believe for one second that we have to sacrifice 
the value of privacy in order to do that. 

Thank you for the job you have done, sir. 

Chairwoman Capito. Thank you. 

Mr. Rothfus for 5 minutes. 
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Mr. Rothfus. Thank you, Madam Chairwoman. 

Welcome, Mr. Antonakes. I am glad to see a Penn State grad 
here. A point has been made about banks having this information 
already, but isn’t it true that private financial institutions are sub- 
ject under Gramm-Leach-Bliley to maintain the privacy of con- 
sumer data? 

Mr. Antonakes. Yes, sir. 

Mr. Rothfus. Now, the CFPB is not subject to Gramm-Leach- 
Bliley. Is that correct? 

Mr. Antonakes. We have other data standards that we have to 
follow. 

Mr. Rothfus. If we could go a little bit to the credit card collec- 
tion program that you have and get a little more specific types of 
data that you are collecting under there, it has been reported that 
there have been 100 data fields per account that you are collecting. 
Is that true? 

Mr. Antonakes. I would have to verify that for you. Congress- 
man. 

Mr. Rothfus. Can you, again, tell me the types of data fields 
that would be collected: interest rate; balances; month to month? 
I think you testified to that, correct? 

Mr. i&TONAKES. Yes. 

Mr. Rothfus. Other information? Would the ZIP Code of an ac- 
count be collected? 

Mr. Antonakes. I don’t believe we are collecting any PIT on the 
credit card information. 

Mr. Rothfus. Okay, so you are — among the hundred data fields 
or so, you are not including the ZIP Code? 

Mr. Antonakes. I don’t believe so, but we can verify that for you. 
Congressman. 

Mr. Rothfus. And you would not include date of birth? 

Mr. Antonakes. That is correct. 

Mr. Rothfus. When are you collecting personally identifiable in- 
formation? 

Mr. Antonakes. When we do collect PIT, it is generally through 
our consumer response function, in which American consumers are 
reaching out directly to us to help them in their financial trans- 
actions with institutions that we supervise. And it is also — 

Mr. Rothfus. You are collecting that data directly from the con- 
sumer in that case? 

Mr. Antonakes. That is correct. They provide it to us volun- 
tarily, subject to our privacy disclosure, so that we can then reach 
out to their financial institution to determine whether or not a vio- 
lation of consumer protection law did, in fact — 

Mr. Rothfus. Now, are you ever collecting data from an institu- 
tion that has not been alleged to have committed any wrongdoing? 

Mr. Antonakes. We would review certain data during the course 
of our examination function. We examine — 

Mr. Rothfus. Would you ever ask such an institution that has 
not been accused of any wrongdoing? Have you ever asked them for 
personally identifiable information about any consumer? 

Mr. Antonakes. So, Congressman, during the course of an exam- 
ination, we don’t presume someone is guilty before we conduct an 
examination, but we have to do certain transaction testing, we 
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have to look at certain information to, in fact, verify that there 
haven’t been violations of law. 

Mr. Rothfus. Now, you are going to try to collect information, 
for example, 80 percent of the credit card accounts in the country? 

Mr. Antonakes. I believe that is the type of data we are trying 
to collect — 

Mr. Rothfus. Do you have any idea of the cost of complying with 
a request like that for a private institution? 

Mr. Antonakes. My understanding is this is information that 
they collect and provide already. 

Mr. Rothfus. That they are already — so up to 80 percent of the 
accounts are already being provided information to a government — 

Mr. Antonakes. No, they collect 100 percent of this data al- 
ready. They provide some of this data to other Federal regulators. 

Mr. Rothfus. Do you have any idea how much the cost would 
be for them to put together — having this data sent over to the 
CFPB? 

Mr. Antonakes. I don’t know the specific costs. Congressman, 
but I need to point out that they collect this data and they review 
this information already. 

Mr. Rothfus. Are you aware that consumers are seeing in- 
creases in fees and costs being passed onto them by financial insti- 
tutions? 

Mr. Antonakes. I don’t believe the fees that may be passed on 
to consumers is the result of our data collection activities. 

Mr. Rothfus. What about the loss of free checking that we are 
seeing out there in the marketplace? You are aware of that? 

Mr. Antonakes. I am also aware of other market trends and 
laws that have resulted in shifts in how checking accounts are 
charged. 

Mr. Rothfus. There is no right for a consumer to opt out of hav- 
ing a private institution that they have an agreement with to have 
that institution opt out from giving you their data. Is that correct? 

Mr. Antonakes. To the extent we are collecting data through our 
supervisory process, no, there is not. And there isn’t for all of the 
other prudential regulators and State regulators that conduct simi- 
lar activities. 

Mr. Rothfus. Now, with respect to collect — ^being able to process 
claims for people who have made complaints — I think we talked 
about 50,000 individuals, servicemembers — that you have the data 
both from complaints and from examination activity. Do you have 
any idea the breakdown — for example, of the 50,000 who were due 
refunds, how many do you get from complaints versus the examina- 
tion activity? 

Mr. Antonakes. I believe in that case the activity was brought 
to our attention through a consumer complaint, and then the — 

Mr. Rothfus. Do you have any idea how many consumer com- 
plaints there were? 

Mr. Antonakes. I can verify that for you. I don’t believe there 
was a significant number of consumer complaints. And I believe 
the more wholesome impact on servicemembers was borne out dur- 
ing the course of our examination and investigation. 

Mr. Rothfus. Wouldn’t it be possible, though, to target in that 
case — if you hear complaints coming from consumers, and you see 
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that there might be an actor out there that is not doing what they 
should be doing, then you can target and go directly at that par- 
ticular bad actor. Isn’t that right? 

Chairwoman Capito. The gentleman can answer. 

Mr. Antonakes. Certainly, consumer response serves two pur- 
poses for us in many respects, the first of which is an immediate 
means of providing responsiveness and potential relief to con- 
sumers who reach out directly to us. It is as you appropriately 
point out, also a means by which our priorities for supervision and 
investigations can be impacted, if we see certain trends developing 
through that channel. 

Mr. Rothfus. Thank you. 

Chairwoman Capito. The gentleman’s time has expired. 

Mr. Posey? 

Mr. Posey. Thank you. Madam Chairwoman. 

The Consumer Financial Protection Bureau is a great sounding 
name. But there seems to be some reason to question whether the 
title actually reflects the mission, or if in reality it is an oxymoron. 
On December 21st, I sent you a letter and listed 19 separate ques- 
tions regarding the loan level data collection project. You — and 
when I say “you,” I mean your agency; I sent it to Mr. Cordray’s 
attention — responded 2 months later with a three-paragraph letter 
that didn’t answer a single doggone question in any detail at all, 
the same kind of gibberish that you gave the vice chair a little 
while ago when he asked you one of the 19 questions that I asked 
you. 

It is inconceivable to me, unless you are from the most dysfunc- 
tional agency in the entire world, that you would come here before 
this committee today unprepared to answer the very simple ques- 
tions that you have been asked. It is inconceivable to me that your 
agency cannot answer the 19 questions that I asked you 6 months 
ago. And yet you call yourselves the most transparent agency — 
your hallmark is supposed to be transparency. 

I know more about your agency from Bloomberg than I do from 
any communications you or anybody from your agency have had 
with my office or with me. You have transparency as a core of your 
agenda. Why is it your agency has a flyer instructing employees to 
keep calendar entries brief and general and avoid entertaining en- 
tries with agenda detail discussions? How can you claim to be 
transparent when you can’t provide a single e-mail in response to 
the Freedom of Information request from Judicial Watch? 

It has been alluded to that the financial crisis was caused be- 
cause we didn’t have a CFPB, when I think most people with a 
brain know we already have enough agencies, we have enough 
rules, we have enough bureaus, we have enough employees. We 
just don’t have enough of them doing their jobs. And that is why 
we had a financial crisis. 

I don’t think that, if we had a dozen CFPBs before and they 
didn’t perform any better than any of the other agencies, it would 
have changed anything. And I haven’t heard any way yet you 
would stop — anything your agency is authorized to do that would 
stop the same thing from happening again. You are going to have 
all the financial records of 80 percent of Americans. And then the 
next obvious question is, well, why not 100 percent? Who are you 
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exempting? Why would you exempt them? It is going to be like the 
people who wrote Obamacare. Are they going to exempt them- 
selves? 

These are natural questions my constituents have, and I don’t 
blame them for being suspicious. Americans like their privacy. 
They enjoy the Fourth Amendment, and they don’t like it violated. 
And the more I hear from you, the more I hear that you are inten- 
tionally violating their Fourth Amendment. You are violating their 
privacy. 

People haven’t asked you to — ^you go to most businesses in Amer- 
ica and say, “Hey, I am from the government. How can I help you?” 
Those are the most feared words they can hear. You want to help 
them? Stay the heck away from them. 

I think we definitely need to have an opt-in to this thing. I just 
think that the fact that you are so ill-prepared to answer any ques- 
tions here today speaks volumes about what is already wrong with 
that agency. 

When Mr. Cordray was here the first time, he appeared before 
us, and we asked a bunch of questions he couldn’t answer. He said, 
“I will come back and answer them.” Instead, he sent “secretary 
somebody” who had the same answer to all the questions he did: 
“I don’t know.” 

I think Mr. Capuano asked her how much she wsa being paid not 
to know anything. And several other Members also asked her. She 
refused to tell her salary. That is how transparent they are. I 
heard Mr. Lynch from Massachusetts talk about all this detailed 
mortgage information that he has about his district. I have asked 
for that information, and I have never gotten one ounce of that in- 
formation before. 

So I am very suspicious, and I would just like for you to tell me 
why you can’t answer any questions that we have asked here that 
have already been asked of your agency and you should have been 
well-prepared to answer today. 

Mr. Antonakes. So, Congressman, I appreciate your comments 
very much. And to the extent — 

Mr. Posey. I bet you do. 

Mr. Antonakes. — our response was not satisfactory to you, I am 
happy to try to follow up and provide you more information, as 
well. We, I believe, have tried to answer that in the vast majority 
of cases, we do not collect personally identifying information — 

Mr. Posey. Listen — 

Mr. Antonakes. We have — it has resulted — 

Mr. Posey. Reclaiming my time, that is the same baloney that 
you gave Mr. Duffy. And that is basically the only answer he gave 
me. I asked you 19 specific questions. We all know you claim not 
to have detailed personal information, just like the NSA and just 
like the IRS don’t abuse that power. We are not even going there 
yet. 

We asked you very simple, easy-to-answer questions that you 
should be able to respond to honesty. 

Chairwoman Capito. The gentleman’s time has expired. 

Mr. Pearce? 

Mr. Pearce. Thank you. Madam Chairwoman. 
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Thank you, Mr. Director. And trying to put things into context, 
why the questions come up, I hear of your and I read in your state- 
ment that empirical analysis is necessary for good policy, so you 
collect more of it. Probably no one collects more information than 
the IRS, yet in 2009, they had 100,000 people, employees of the 
Federal Government, who were not paying their taxes. And, of 
course, that was led by Treasury Secretary Geithner, who didn’t 
think it was his duty to pay taxes. 

And now within the last 2 years, that number has gone to 
312,000 and $3.5 billion now owed by Federal Government employ- 
ees. The government has the information. They just choose to check 
on conservative groups rather than check on the people who are 
not paying their taxes. 

So if there is a little concern about what you are collecting — and 
I was a little bit confused. I thought you said to Mr. McHenry that 
part of the PIT is name, address. Social Security number, ZIP, prop- 
erty they have, credit score, and balances. And then I heard a dif- 
ferent answer, I thought, to Mr. Rothfns. Is this PIT? So — name, 
address. Social Security, ZIP, property they have, credit score, I 
thought you had affirmed to Mr. McHenry. Was I hearing back- 
wards? That is not stuff you collect and as part of PIT? 

Mr. Antonakes. No, sir. So — 

Mr. Pearce. So it is not part of it? 

Mr. Antonakes. We collect PIT through our consumer response — 

Mr. Pearce. So that — PIT includes — 

Mr. Antonakes. — supervisory — 

Mr. Pearce. If I could reclaim my time, PIT includes name, ad- 
dress, Social Security number, ZIP, property, credit score? I 
thought Mr. McHenry walked through that, so is that part of PIT 
or is it not? Yes or no? 

Mr. Antonakes. The answer is it is part of PIT. It may not be — 

Mr. Pearce. Okay. So if it is part of PIT, maybe we should invoke 
the Geneva Convention for consumers. Under the Geneva Conven- 
tion, when I went to Vietnam there were a lot of pilots being shot 
down. We only had to give our name, rank, and Social Security 
number. Here, you collect all the other jazz. You have the potential 
to misuse it, exactly like the IRS is misusing it. 

So I was interested in your response to Ms. Velazquez. She noted 
properly that one breach will erode the confidence. And she asked, 
what steps have you taken to see that you don’t have a breach? 
You said that the answer was to collect as little information as pos- 
sible. Are there any other things that you do to stop a breach? 

Mr. Antonakes. Sure. Congressman, our systems are compliant 
with the Federal — 

Mr. Pearce. No, I didn’t ask what you are compliant with. What 
other steps do you take to ensure there is no breach? 

Mr. Antonakes. We have robust security systems, IT systems 
that are constantly being reviewed and audited. We have limited 
significantly which personnel have access to this information, and 
we are trying to ensure that we have the procedures in place to dis- 
card this information when it is no longer necessary. 

Mr. Pearce. So you have contractors that have access to infor- 
mation? 

Mr. Antonakes. We have limited contractors that have access — 
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Mr. Pearce. But some contractors do. I am sure Mr. Snowden 
was one of a very limited number. Have you gone and done case 
studies on agencies or consumer groups, credit card companies 
where information has been distributed, where people have leaked 
or shared or hacked in? Have you studied those? Has your agen- 
cy — as someone said, you are a very powerful agency. You are prob- 
ably going to have more information than even the IRS. 

Have you done any case studies on the people who have leaked 
Mr. Snowden or any of the others? Did you stop — as a manager, 
did you stop everyone and say, “Hey, this is a wake-up call. If it 
can happen in the most secret of our agencies, it might happen to 
us.” Did you, as Deputy Director, number-two guy, stop everybody 
and say, “Wait, we need to sit down and have a discussion on our 
ethics internally. If it could happen over there, it could happen 
here?” 

Mr. Antonakes. So we do take data security — 

Mr. Pearce. No, I did not — did you have any case studies looking 
at specific things where people have leaked or stolen information? 
That is a fairly simple question. 

Mr. Antonakes. We do — 

Mr. Pearce. You are the number-two guy in the company or 
the — 

Mr. Antonakes. — do not have any specific case studies where 
other agencies have leaked information. Congressman. 

Mr. Pearce. That is incredible to me that you would not look at 
what happened. The breakdowns have happened in some of the 
credit card companies where massive information has been re- 
ceived. It is incredible that you as the number-two guy have not 
done that. 

Do any of the people, when you make these awards, have any bo- 
nuses been given to employees or investigators or people who are 
collection agencies? Have any awards been given to people who 
help you get the information? 

Mr. Antonakes. I am not sure I understand the question. Con- 
gressman. 

Mr. Pearce. Okay. You said that you found 28,000 — or employ- 
ees are — Defense Department people. You got awards back to them. 
Did anybody get finder’s fees? Because I am finding that in many 
agencies. 

Mr. Antonakes. No, sir. 

Mr. Pearce. No finder’s fees? 

Mr. Antonakes. No. 

Mr. Pearce. No bonuses, no nothing? 

Mr. Antonakes. Not — no. 

Mr. Pearce. Okay. 

Mr. Antonakes. Not to — 

Mr. Pearce. I yield back. Thank you. Madam Chairwoman. 

Chairwoman Capito. Mr. Barr for 5 minutes. 

Mr. Barr. Mr. Antonakes, I am just seeking a little clarification 
here. Under what circumstances does the Consumer Financial Pro- 
tection Bureau obtain in its data collection efforts personally identi- 
fiable information? 

Mr. Antonakes. We will collect it through our consumer re- 
sponse portal, if consumers reach out directly to us for assistance — 
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Mr. Barr. I understand that. And what is the second category? 

Mr. Antonakes. And also during our supervisory process. When 
we conduct examinations of the banks, credit unions, and nonbanks 
that are under our jurisdiction, we may have access to that infor- 
mation to report for exams. 

Mr. Barr. Okay. So Section 1022 of Dodd-Frank specifically pro- 
hibits your agency from collecting data “for the purposes of gath- 
ering or analyzing the personally identifiable financial information 
of consumers.” How do your data collection efforts that contain per- 
sonally identifiable information comport with that statutory prohi- 
bition? 

Mr. Antonakes. That statutory prohibition lends itself to broad- 
er market monitoring data collection activities. It does not go spe- 
cifically toward data collection activities through our supervisory 
process. 

Mr. Barr. Okay, are you — 

Mr. Antonakes. There are other provisions in Dodd-Frank that 
allow us to do it. 

Mr. Barr. — familiar with the system of records notice that was 
published in the Federal Register by your agency in November of 
last year? 

Mr. Antonakes. Generally. 

Mr. Barr. Okay. Are you aware that the system of records no- 
tice, which is required under the Privacy Act of 1971, that require- 
ment is triggered by the collection of information that is actually 
retrieved by a personal identifier and that these SORN notices are 
used to provide notice to members of the public that their informa- 
tion is being used by an agency? Are you aware of that? 

Mr. Antonakes. Yes, sir. 

Mr. Barr. And so you are admitting that your agency has issued 
one of these system of records notices to alert the public that you 
are collecting personally identifiable information. Is that correct? 

Mr. Antonakes. Yes, sir, as we are allowed under other provi- 
sions of Dodd-Frank to fulfill our other mandates to protect con- 
sumers. 

Mr. Barr. Okay. And so is the information — the PII that you are 
collecting pursuant to this systems of records notice, is that person- 
ally identifiable information, is that searchable by personally iden- 
tifiable information in your database or your contractors’ database? 

Mr. Antonakes. We would collect information for our consumer 
response portal, as well as through our supervisory process, for 
the — 

Mr. Barr. I understand you collect it. Is it searchable by person- 
ally identifiable information? 

Mr. Antonakes. I would have to get back — 

Mr. Barr. Could you get back with us on that? 

Mr. Antonakes. Yes, I would be happy to. 

Mr. Barr. We would be interested to know that. And specifically, 
we want to know if the data can be retrieved by personal identi- 
fiers. So that would be something of interest to this committee, if 
you could get back to us on that. 

How long is the data that includes personally identifiable infor- 
mation retained? What policies or procedures do you have in place 
for records retention of that PII? 
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Mr. Antonakes. We have policies that we have submitted to the 
National Archives Center and we are waiting for their approval of 
our destruction schedules. 

Mr. Barr. So, you don’t have a policy in place right now? 

Mr. Antonakes. We don’t have an approved policy in place by 
the National Archives Center. 

Mr. Barr. So at this point, the PIT that you all have obtained 
is not subject to any kind of records retention schedule as of yet? 

Mr. Antonakes. As of yet, but we have significant hopes that we 
will have those schedules approved shortly. 

Mr. Barr. Okay, under the system of records notice regarding 
your data collection activities, has the CFPB also conducted a pri- 
vacy impact assessment of that? 

Mr. Antonakes. I would have to confirm that for you. Congress- 
man. 

Mr. Barr. Okay. If you could get back to us on that. And if — 
and in addition to whether or not you have conducted the privacy 
impact assessment, if you have not, we would like to know why you 
have not yet subjected the agency to a privacy impact assessment. 

And then a third follow up, please, which would be why would 
the CFPB not have made public the privacy impact assessment, if, 
in fact, you have conducted one? So, again, if you are unaware of 
the answer to those questions, if you could follow up with my office 
or the committee, that would be appreciated. 

Mr. Antonakes. I will be happy to do so. 

Mr. Barr. Okay. Are any individuals — since you are conceding 
that you — and you have issued this notice in the Federal register 
that you are collecting personally identifiable information — are any 
of the individuals whose personally identifiable information that 
has been collected, are any of these individuals — have any of these 
individuals been given notice prior to that collection? 

Mr. Antonakes. No, sir, because it is not required under our su- 
pervisory authority. 

Mr. Barr. Okay. I yield back. 

Chairwoman Capito. The gentleman’s time has expired. 

Mr. Westmoreland? 

Mr. Westmoreland. Thank you. Madam Chairwoman. 

You are the Associate Director of Supervision and Enforcement, 
correct? 

Mr. Antonakes. That is correct. 

Mr. Westmoreland. Do your enforcement officers carry fire- 
arms? 

Mr. Antonakes. No, they don’t, sir. 

Mr. Westmoreland. So they do not carry firearms? 

Mr. Antonakes. No. 

Mr. Westmoreland. Do they wear uniforms? 

Mr. Antonakes. No, sir. 

Mr. Westmoreland. Okay. Do the PIT, do the individuals know 
that you are storing their data? 

Mr. Antonakes. To the extent information is coming into our 
consumer response channel, there is a privacy notice for them, and 
I would say, yes, they know that we are storing their information. 
If it is coming through the examination process, then not nec- 
essarily. 
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Mr. Westmoreland. How many questions do you ask these folks 
if they call in with a problem? 

Mr. Antonakes. We are basically trying to ask the minimum 
questions that will allow us to remedy the situation, if, in fact, 
there has been a violation of consumer law. 

Mr. Westmoreland. And so then you tell them you are storing 
their information for later use? 

Mr. Antonakes. I’m sorry, sir? 

Mr. Westmoreland. You are getting this information, and they 
know you are getting it to store the data. 

Mr. Antonakes. That is correct. 

Mr. Westmoreland. So you tell them — 

Mr. Antonakes. Yes — 

Mr. Westmoreland. — we are storing your data? 

Mr. Antonakes. There is a notice that indicates that. 

Mr. Westmoreland. Okay. How many people have access to 
this? 

Mr. Antonakes. It is limited to those who are responding di- 
rectly to the complaints, as well as some other folks in the Bureau 
that — 

Mr. Westmoreland. I know that, but how many people is that? 

Mr. Antonakes. I would have to get back to you with a precise 
number. 

Mr. Westmoreland. You don’t know? 

Mr. Antonakes. I don’t know the precise number. It would de- 
pend on — it is — 

Mr. Westmoreland. Would the Director know the precise num- 
ber? Who would know the number? 

Mr. Antonakes. We could provide that information to you. I just 
don’t know it off the top of my head. 

Mr. Westmoreland. Sure. 

Mr. Antonakes. It is focused on a need-to-know basis, for those 
who either are directly responding to — 

Mr. Westmoreland. I think it is pretty unusual that you 
wouldn’t know how many people had access to this, but what type 
of security clearance do these CFPB employees have, who have ac- 
cess to this information? 

Mr. Antonakes. They all go through significant background 
checks, as well. I think we have the security clearance that is akin 
to agencies of — 

Mr. Westmoreland. Is it — what kind of security clearance is it? 

Mr. Antonakes. It is not top-secret clearance. 

Mr. Westmoreland. Okay, so they have information to all these 
personal names. Social Security numbers, addresses, birth dates, 
and whatever. And they don’t have any type of level of security 
clearance? 

Mr. Antonakes. We do attempt affirmatively to limit the PIT 
that we need to collect — 

Mr. Westmoreland. Do you do it yourself? 

Mr. Antonakes. Do I do it myself? 

Mr. Westmoreland. No. 

Mr. Antonakes. No. 

Mr. Westmoreland. Does the CFPB do it within its own agency? 
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Mr. Antonakes. We attempt through our consumer response 
portal to limit the type of PIT. We collect just enough to he able to 
go back to the company so that they can actually identify the ac- 
count and the complaint and then verify that, in fact, it is an ac- 
tual complaint. 

And the security background checks that everyone would have to 
go through are exhaustive and extensive, and we have certain poli- 
cies and procedures in place, as well, that will — 

Mr. Westmoreland. I guess what I want you to answer is, who 
does the background checks? 

Mr. Antonakes. The Office of Personnel Management, and they 
use their sources that they do for personnel background checks. 

Mr. Westmoreland. So you really don’t know who does the 
background checks? 

Mr. Antonakes. The degree of, I think, background checks de- 
pends on their rank and the positions of the — 

Mr. Westmoreland. So you don’t know how many people have 
access to these files? And you don’t know really what type of back- 
ground check they have had? 

Mr. Antonakes. I know they have substantial background 
checks. I know the number of people is significantly limited to 
those who work in our consumer response area and those who work 
in our supervision and enforcement areas. 

Mr. Westmoreland. But you don’t know the number? 

Mr. Antonakes. I can provide you with the number. I don’t know 
the number offhand. 

Mr. Westmoreland. Sure. Okay. Let’s say one of my constitu- 
ents calls you up and says, “Can I see my data? Can I see my file 
that you have on me? First of all, do you have a file on me?” And 
if the answer would be yes, can they request the information that 
you have? 

Mr. Antonakes. The only information that we would have would 
be the information that they have provided us — 

Mr. Westmoreland. No. No, no, no, no. You are getting informa- 
tion from these outside groups, the banks. So can you give them 
that? 

Mr. Antonakes. The information that we would have on a con- 
sumer that came in through our consumer response portal would 
be the information they provided us, and then we would have a 
summary of — 

Mr. Westmoreland. I am not talking — I am talking about the 
PIT. 

Mr. Antonakes. So we are not collecting PIT for consumers who 
respond to our consumer response — 

Mr. Westmoreland. Well, no, but you do have this personally 
identification information, right? 

Mr. Antonakes. If they have provided it to us. 

Mr. Westmoreland. So if they find out that you have stored this 
and they don’t realize it or don’t remember it, can they ask to opt 
out? 

Mr. Antonakes. They are affirmatively reaching out to us and 
voluntarily providing us this information. There is a privacy notice 
which is provided to them at the moment that they are filling out 
that information. 
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Mr. Westmoreland. I look forward to some of these answers 
that you said you are going to respond to from these questions. And 
I appreciate you coming, and I appreciate your service. But I find 
it really hard to believe that you didn’t realize some of the ques- 
tions you were going to be asked today. So thank you for coming. 

Mr. Antonakes. Thank you. 

Chairwoman Capito. Thank you, Mr. Westmoreland. 

That concludes our first round, but I am going to go to a second 
round, because we have a few more interested folks who have addi- 
tional questions, one of whom is me. And the thing I am concerned 
about is, because I think we have a difficulty understanding ex- 
actly — because in my — in your first response to my question, you 
said you do not collect PIT. But in your subsequent testimony, you 
have said that on two occasions you would, when a consumer would 
opt in from a consumer complaint, and the other might be from 
other institutions or other information. 

That is the part, I think, that we are having the issue with, is 
not that the consumer is opting in to ask you to help them with 
the consumer complaint, but in the rhetoric, you are saying, no — 
or in your first statements, you said no. But in subsequent testi- 
mony, you are really saying, yes, we do, in certain instances. 
Maybe not the $800 million credit card cases, but in other cases, 
we do have this PIT. 

As clearly as possible, please explain that part and when that 
would come into play. 

Mr. Antonakes. Madam Chairwoman, I am sorry if I was not 
clear on this point in particular, trying to distinguish between some 
of the data that we are purchasing versus the data that we have 
access to through our supervisory program. So to the extent that 
we are conducting examinations which are mandated by Dodd- 
Frank, we are required to examine the large banks over $10 billion 
in assets — 

Chairwoman Capito. Right. 

Mr. Antonakes. — the large credit unions over $10 billion in as- 
sets — 

Chairwoman Capito. Right. 

Mr. Antonakes. — and certain non-bank entities, we have to ex- 
amine them on a regular basis to determine whether there are vio- 
lations of consumer protection laws. During the course of our ex- 
aminations, our examiners go on-site to these institutions and they 
conduct transaction testing, in which they are sitting down and 
looking at actual loans and loan-level data to determine whether 
there are violations of law. 

We are not maintaining or collecting this data unnecessarily. If 
it is a clean — 

Chairwoman Capito. Okay. 

Mr. Antonakes. — exam, we move on and we don’t collect it. 

Chairwoman Capito. Okay. Let me stop you right there, so I un- 
derstand. So if you have — on your supervisory job, you are col- 
lecting a transaction on a person, which then would have this — ^you 
have already said what PIT might be. Social Security number, 
mortgage, whatever name, address, all those things. 

So are you saying, then, that because you are conducting this in 
the supervisory, that you then don’t bring that information back 
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into the CFPB and hold it for 10 years in the cloud? Or do you 
leave it at the financial institution in the course of an exam? 

Mr. Antonakes. If there are violations found and it requires 
some form of corrective action, be it an informal action, be it a for- 
mal enforcement action, be it the requirements at reimbursement, 
then some of that information may be stored. 

Chairwoman Capito. So you bring that and store it? 

Mr. Antonakes. In certain circumstances, yes. 

Chairwoman Capito. Okay. In terms of the — what the gentleman 
from Georgia was asking about, whether you could opt out, I guess 
I am reading here in the Federal Register where individuals seek- 
ing notification and access to any record contained in this system 
of records or seeking to contest its comments may inquire in writ- 
ing, according with instructions? 

Mr. Antonakes. That is correct. 

Chairwoman Capito. Okay. I didn’t hear you say that. 

Mr. Antonakes. I’m sorry. Anyone can ask at any point in time 
if we have any records or information on them, and we would be 
obligated to respond. 

Chairwoman Capito. Right. That doesn’t mean they get to see 
their records, though. 

Mr. Antonakes. That is correct. 

Chairwoman Capito. It just means that they can respond about 
their records. Would that be clarification? 

Mr. Antonakes. Right. Yes. 

Chairwoman Capito. Yes? Okay. And I think you understand the 
concern on the privacy issue and the concern on what Americans 
are now finding out is being collected at all levels, whether it is fi- 
nancial information, concern, obviously, about health records, con- 
cern about national security records, concern about tax records. All 
of these things, I think it begs to have a great national discussion 
on where the fine lines between your own personal privacy is, 
whether it is in your financial institutions or not. 

Again, I am going to go back to the PIT information, because I 
think you have given a little bit of conflicting testimony, not inten- 
tionally, but more in terms of what your actual mission is, not to 
collect PIT, but in the course of moving forward in your supervision 
and in your examination procedures, PIT is part of what you do col- 
lect and keep. So would that be a true statement? 

Mr. Antonakes. Madam Chairwoman, for the market moni- 
toring, we don’t see the need to collect PIT. We are not studying in- 
dividual Americans. We are trying to protect Americans. 

So to the extent there is PIT that is collected, it is in response 
to consumer complaints or through our supervisory work, which, as 
I testified earlier, has resulted in significant reimbursements for 
American consumers already. 

Chairwoman Capito. Right. That would be mostly through your 
consumer complaint center — 

Mr. Antonakes. And — no. Primarily through our supervision 
program and enforcement program. That is where the 430 million- 
plus has come. 

Chairwoman Capito. And my last — I don’t even have a last — but 
I do thank you for your service and your testimony, for which I will 
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thank you again at the end of the hearing. We will go to — Mr. 
Scott, did you have an additional question? 

Oh, I’m sorry. Mrs. Maloney? 

Mrs. Maloney. I think privacy is incredibly important. And ev- 
eryone keeps going back to the PIT. So I would like you to put your 
policy on the PIT on your Web site that for broad areas, looking at 
interest rates, no one looks at anything private. But if an indi- 
vidual calls and says, they retroactively raised my interest rate on 
my credit card by 30 percent, then you look into that particular sit- 
uation. So I would like to request that you put this information up 
on your Web site so it is very clear. 

I would like to remind my colleagues why we created the CFPB 
in the first place. We had a financial crisis that economists tell us 
was the first financial crisis in the history of our country that was 
caused by policies that hurt consumers. This country lost anywhere 
from $12 trillion to $16 trillion because of a financial crisis that 
could have been prevented. 

That is why they were created, because consumer protection, the 
subprime crisis, was totally abusive and unfair prices — or policies 
that were put out there by some bad actors, some — not the full in- 
dustry. There are many honest, good financial institutions. But 
some bad actors, some of whom were not regulated, put this out 
there and brought this country to its knees. And our citizens are 
still suffering. 

No agency was looking at consumer protection. It was a sec- 
ondary thought, a third thought, or not thought about at all. So we 
believed — many of us — to have an agency that looked at protecting 
our veterans as they were overseas fighting, that looked at pro- 
tecting our students that we need to educate for our future, from 
high interest card rates, to protect our citizens. The credit card bill 
of rights that many of us worked on, according to the Pew Founda- 
tion, saved consumers $10 billion last year. That is a lot of money 
that goes into the hands of working men and women who need it. 

So the financial board came in place, and I would like to ask 
unanimous consent to place in the record a series of areas where 
they have saved consumers money, kept the money in the con- 
sumer’s pocket, which has helped the working men and women of 
this country. 

So they have been tasked and are mandated to look at policies 
in a broad way so that they can prevent abusive policies in the fu- 
ture, that new products that are created, that they look to see if 
they are fair to consumers, that consumers can understand them. 

Their success rate has been phenomenal, and their reports — 
granted, they take a long time to do, because they are data-driv- 
en — have helped us with better policies. In overdraft, an area that 
I work in, in credit card, an area that I work in, in student loans, 
it has helped us make better policy decisions. 

They are basically collecting data. We have to make sure that it 
is secure and private, but one aspect that you answered earlier, 
you testified that other financial agencies such as the Federal Re- 
serve are collecting more data than the CFPB is collecting. So what 
I don’t want this to be is a witch hunt after the CFPB, which is 
trying to protect consumers. 
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The other regulators — and they do a very important job — are pro- 
tecting institutions to make sure that they don’t go under or hope- 
fully will protect them from going under. But could you elaborate 
on what other financial institutions by law are collecting? 

And I believe you testified that they are collecting more informa- 
tion than the CFPB is. Is that correct? 

Mr. Antonakes. Ranking Member, I don’t know precisely how 
much information the other Federal regulators are collecting. 

Mrs. Maloney. The chairwoman and I are going to do a GAO re- 
port and find out — 

Mr. Antonakes. Right. 

Mrs. Maloney. — so that we can understand and also streamline 
it so that agencies aren’t collecting the same information. 

Mr. Antonakes. But my understanding is they do collect sub- 
stantial amounts of information. The credit card information we 
are collecting has been collected by other Federal agencies for sev- 
eral years. 

Mrs. Maloney. And what about stress tests that the Fed does? 
What kind of information do they collect? 

Mr. Antonakes. Certainly, the Fed has very broad authority, 
both in terms of monetary policy and bank regulation, and they are 
collecting very different data in many respects than the type of in- 
formation that we are collecting. 

Mrs. Maloney. What type of information — are they doing inter- 
est rates? Are they doing — 

Mr. Antonakes. Well, certainly, unemployment information — 

Mrs. Maloney. So that is what you are collecting? 

Mr. Antonakes. — a wide variety of information, but I would not 
be the best person to ask what particular information the Federal 
Reserve is collecting. 

Mrs. Maloney. I think we need to really review — 

Chairwoman Capito. The gentlelady’s time has expired. 

Mrs. Maloney. — all of the agencies. What are they collecting? 
And how are they protecting the consumer and financial institu- 
tions? 

I yield back. 

Chairwoman Capito. Mr. Duffy? 

Mr. Duffy. I would agree with the gentlelady from New York. 
We should know what other agencies are collecting, as well. But I 
would disagree with her in the sense that she mentions that obvi- 
ously the more data that you have, the better you are able to pro- 
tect consumers. 

I actually would agree with that component of it. But we always 
have a balance with the private sector and our government in pri- 
vacy and our civil liberties. And, yes, more data might mean more 
protection, but it also means less privacy for Americans. And I 
think you are tipping the scales into the privacy component, as op- 
posed to the protection component. 

In regard to data collection, what other agency collects nearly a — 
because you have 1.2 billion credit cards out there. You are col- 
lecting 73 percent, going to 80 percent. That is almost a billion 
credit card accounts. What other agency is collecting that kind of 
data out there? A billion accounts. 



44 


Mr. Antonakes. I believe the data collection activities that we 
have under way in the card space is very similar to other data that 
has been collected by the Federal Reserve, as well as the Office of 
the Comptroller of the Currency. 

Mr. Duffy. I do want you to answer my question. Is there an- 
other agency that collects about 80 percent — a billion accounts? 
Does the Fed do that? 

Mr. Antonakfs. I don’t know what percentage of the accounts 
that the other agencies collect, but I do know that they collect sub- 
stantial amounts of credit card data. 

Mrs. Maloney. Point of personal privilege, because my name 
was mentioned? 

Chairwoman Capito. Will the gentlelady suspend? 

Mrs. Maloney. Pardon me? 

Chairwoman Capito. Hold just a minute, please — time to ask 
you a question — 

Mr. Duffy. Yes, I would yield to the gentlelady from New York. 

Mrs. Maloney. I agree completely with Congressman Duffy that 
we need to have the right balance. We need to protect the con- 
sumers overall and have fair and honest banking practices, but we 
also have to protect privacy. And, again, I placed in the record a 
letter from five different consumer privacy groups — 

Mr. Duffy. Reclaiming my time — 

Mrs. Maloney. — who believe that the right balance was 
achieved — 

Mr. Duffy. — gentlelady from New York — 

Mrs. Maloney. — in the CFPB. 

Mr. Duffy. — with me in regard to the privacy balance. I just 
want to mention that — I believe that Senator Crapo had asked 3 
times that the CFPB to provide him information in regard to how 
many accounts and how many Americans have their financial data 
collected by your agency. And the CFPB has refused to provide that 
information to the Senate. 

Today, you have agreed to provide that information to us. Now, 
I am disappointed that you don’t have that number for this com- 
mittee. You knew the question was going to come up, and you were 
ill-prepared to answer it. But to that point, can we expect that in- 
formation within 2 weeks? 

Mr. Antonakes. Congressman, we have to be, I think, entirely 
precise, just so we can answer you correctly, in terms of what par- 
ticular information you are seeking — 

Mr. Duffy. How long — 

Mr. Antonakes. There is a lot of information. 

Mr. Duffy. How many accounts? How long will it take to get 
that information? 

Mr. Antonakes. Congressman, are you speaking to the instances 
in which we collect PIT or more broad information that does not in- 
clude PIT? 

Mr. Duffy. All accounts. 

Mr. Antonakes. Again, it is not accounts in some cases. It is 
loan-level data. It is other types of information, as well. We can 
seek to provide that information to you. We will do it in as timely 
a fashion as possible. 
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Mr. Duffy. Okay. I want to move to another issue. In regard to 
how you store financial data, do you silo your supervisory role, data 
that you collect in your supervisory role? Do you silo that informa- 
tion from the information you collect in your market monitoring? 
That information and data is siloed? They are separated? They are 
not merged? Is that correct? 

Mr. Antonakes. We don’t merge different data sets. Conceivably, 
market monitoring personnel would have access to some of the in- 
formation, because we are allowed to collect data for multiple pur- 
poses and sources, but we are not mixing and matching data sets. 

Mr. Duffy. So through the supervisory process, the data that 
you collect can be merged with the market monitoring. Is that cor- 
rect? 

Mr. Antonakes. That is not what I said. I said that they would 
have access and the ability to look at that information, but we are 
not mixing and matching data sets. We are not trying to re-identify 
consumers, from which we have not collected PII on. 

Mr. Duffy. Okay. We received a contract that the CFPB had 
with Experian through Judicial Watch. And that contract would 
have been used in the market monitoring function. Is that correct? 

Mr. Antonakes. That is correct. 

Mr. Dufey. And you have also testified today that in a market 
monitoring function, you don’t obtain personally identifiable infor- 
mation. Is that also correct? 

Mr. Antonakes. I am saying that if it is coming through pur- 
chases, voluntary information requests, we are not collecting PII. 

Mr. Duffy. Okay. 

Mr. Antonakes. If it is coming through the supervisory channel, 
it could conceivably — 

Mr. Dueey. That is right. But through market monitoring, you 
are not collecting it. In regard to Mr. McHenry’s question — and you 
also said that addresses, as well as ZIP Codes, plus four, are per- 
sonally identifiable information, correct? 

Mr. Antonakes. Correct. 

Mr. Duffy. Now, I have a contract here provided from Judicial 
Watch, your contract with Experian, which requests that the con- 
tractor shall provide ZIP plus four or other geographic location in- 
formation, such as census block identifiers. So I have a contract 
right here that shows that you are actually collecting that informa- 
tion, and so your testimony today is actually incorrect, per your 
contract with Experian. Is that right? 

Mr. Antonakes. I would have to verify the contract with 
Experian to see exactly what type of information we are — 

Mr. Dufey. So you are obtaining personally identifiable informa- 
tion in the market monitoring function, contrary to the testimony 
here today. I yield back. 

Mr. Antonakes. I don’t believe we are, sir. 

Chairwoman Capito. The gentleman’s time has expired. 

Mr. Scott? 

Mr. Scott. Yes, thank you. Madam Chairwoman. 

Let me just mention — and again, let me just commend the rank- 
ing member, with whom I very much agree on the need for this, 
and let me commend the chairwoman of the committee for this ex- 
traordinarily important hearing. 
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And, again, let me go to one point that needs clarification, which 
Mr. Duffy raised. First of all, we raise this huge number of $80 
million on the credit card issue. But isn’t it true that there prob- 
ably is no other area of great complaint and concern for consumer 
protection than the credit cards? We are almost a credit card soci- 
ety. We have stolen credit cards. We have misplaced credit cards. 

And I think it is very important to clarify that this PIT informa- 
tion that you have to request comes from the personal request of 
the individual coming to you to get you to look into this matter. 
Are those points correct? 

Mr. Antonakes. I would say credit cards is one significant area 
of complaints for us. There are others, but it is a significant area 
of complaints. 

And I would say, to the extent that a consumer is reaching out 
to us directly through our consumer response channel, in that in- 
stance, we are collecting PIT because they are asking us to inter- 
vene on their own behalf. 

Mr. Scott. And while Dodd-Frank, as we mentioned, outlaws PIT 
information and so forth, it does so within the context that you fit 
in with the same parameters as the FDIC, the Federal Reserve, 
and other regulatory agencies. Is that correct? 

Mr. Antonakes. That is correct. 

Mr. Scott. All right. Now, with that information, the other re- 
quest that comes from the other side — and on this request for num- 
bers and how many and so forth — might have something to do with 
the aspect of confidentiality and — we love C-SPAN, and it is all 
across the Nation, and the good people hear it, as well as bad peo- 
ple hear it, and so forth, so there is a reason for some method of 
confidentiality. 

But you have agreed to find a way individually to make that 
known to those various members of the committee who have been 
asking for it, correct? 

Mr. Antonakes. Correct. 

Mr. Scott. All right. Now, let me just ask you this question 
again. I don’t know if I matched it before, but I think it is very im- 
portant. Has there been any breach in the CFPB’s data system con- 
cerning this information? Has there been any breach in that infor- 
mation getting out? 

Mr. Antonakes. There has been no breach that we are aware of. 
Congressman. 

Mr. Scott. No breach that you are aware of. Which means, are 
there any — 

Mr. Antonakes. I don’t — 

Mr. Scott. — that you may be unaware of? I need a clear — 

Mr. Antonakes. Congressman, I don’t believe we have had a 
breach. 

Mr. Scott. I don’t believe, but — is there anybody else in there 
where information is brought that there may be a breach? 

Mr. Antonakes. We have no reason to believe there has been a 
breach. 

Mr. Scott. All right. Now, are there firewalls, internal firewalls 
that you have involved for storing and using any of this data so 
that we can give the public additional assurance that you have 
some system in place for various probabilities, that you have people 
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there whose job it is to just sit all day and all day and their job 
is to figure out, how can anything happen to get this information 
out to protect it? And do we have firewalls there? 

Mr. Antonakes. Yes, Congressman, we have firewalls, we have 
data security personnel, folks whose sole responsibility is to make 
sure that any data we collect is being maintained in a secure fash- 
ion. 

Mr. Scott. Okay. All right. And finally, I have one other very, 
very important point I would like to make, which is that we are 
working to try to get something right here to protect the American 
people who were grossly taken advantage of in so many areas. 

And I would say, of all that we have done in this lawsuit reform, 
the primary role of the CFPB is as the enforcer. And you can’t do 
that without getting the information. Is there anything you would 
recommend to this committee that you need to be able to do a bet- 
ter job? And especially responding to some of the concerns that we 
have had. 

Mr. Antonakes. Congressman, I believe we have the tools nec- 
essary to protect American consumers, which is our mandate and 
all that we focus upon and why we collect and analyze this data. 

Mr. Scott. Thank you, sir. 

Chairwoman Capito. Mr. Barr? 

Mr. Barr. Mr. Antonakes, thank you for your testimony today. 
I appreciate you providing this committee and the Congress with 
more information about the handling of American citizens’ person- 
ally identifiable information by the Consumer Financial Protection 
Bureau. 

But I wanted to follow up on a line of questions, which, with all 
respect, I don’t think we have the answer that I think some of my 
colleagues were seeking, and that has to do with the categories of 
information that you are collecting, the categories of PIT that you 
are collecting. 

One category is a category of PIT that you get from consumers 
who voluntarily disclose it to your agency, correct? 

Mr. Antonakes. Correct. 

Mr. Barr. The second and — there are only two, as I understand 
it, from your testimony — the second is personally identifiable infor- 
mation that the Bureau obtains in the course of exercising its su- 
pervisory function. Is that correct? 

Mr. Antonakes. That is correct. 

Mr. Barr. Okay, I am interested in this second category, where 
you are obtaining PII from third parties, okay? In those cases, 
would an individual be able to, through a FOIA request or some 
other mechanism, obtain a file in the possession or custody of the 
Bureau with their PII that was obtained from a third party? 

Mr. Antonakes. So my understanding — and I want to answer 
this carefully. Congressman, to make sure it is completely accurate 
and responsive to your question — my understanding is, under the 
Privacy Act, an individual consumer could request to know whether 
or not we had collected information on that person. And I believe — 
I have to verify — that we would then provide that information to 
the individual consumer. They couldn’t ask about other consumers; 
they could just ask about their own personally identifiable informa- 
tion. 
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Mr. Barr. Right, but to follow up Mr. Westmoreland’s line of 
questioning, for that category of information, PIT — 

Mr. Antonakes. Yes. 

Mr. Barr. — that is obtained by your agency from a third party, 
in the course of your supervisory functions — 

Mr. Antonakes. Right. 

Mr. Barr. — could the individual to which that confidential infor- 
mation or personal information applies — could that person obtain 
the file that you are keeping? 

Mr. Antonakes. I want to verify this, but I believe they have the 
right to ask, and then we will provide that information to them. 

Mr. Barr. Okay. Let me ask you another question about the dis- 
closure and the rules and the regulations that govern the Bureau’s 
disclosure of this personally identifiable information. One of the 
regulations, 12 CFR 1070.41(b), provides the Bureau with authority 
to make disclosures to your contractors and your agents. How 
many contractors, agents, and third parties have been granted ac- 
cess by the Bureau to this database of information? 

Mr. Antonakes. I would say we have different folks in a contrac- 
tual arrangement serving different roles at the Bureau. 

Mr. Barr. Yes, how many, approximately? 

Mr. Antonakes. I would have to provide that information for 
you. I want to be accurate. I would have to get that information 
for you. 

Mr. Barr. Are we talking a dozen or are we talking — approxi- 
mately how many contracts do you all have with third parties with 
whom you share this information? 

Mr. Antonakes. We have certain areas that we contract with to 
do certain services for certain work for us, so it varies. But those 
contractors would have access only to the information that is fun- 
damental to the job that they are doing. They wouldn’t have broad 
access to all of the information — 

Mr. Barr. When you disclose this information to the contractor 
or third party, who decides whether or not the information contains 
the PIT? 

Mr. Antonakes. It would be germane to the particular area. 

Mr. Barr. Okay, so — 

Mr. Antonakes. So if we had contractors, for example, sup- 
porting our consumer response function, then they may have access 
to some of the information coming in from complainants. They 
wouldn’t have information coming in through our supervisory chan- 
nel. 

Mr. Barr. But the bottom line is, is both your systems of records 
notice and your regulatory framework contemplates sharing PIT 
with third parties? 

Mr. Antonakes. With people who are working for us and who 
are operating under Federal privacy laws. 

Mr. Barr. One final question about the data that you collect 
from your supervisory role and then the purchase data sets. Do you 
match up the data that you obtain from purchased information, 
from Experian or CoreLogic or some of these other organizations — 
do you match at the individual level that data with the PIT that 
you obtain under your supervisory functions? 

Mr. Antonakes. No, sir, we do not. 
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Mr. Barr. Okay, my time has expired. 

Chairwoman Capito. Mr. Heck? 

Mr. Heck. Thank you, Madam Chairwoman. 

Hopefully, to close this maybe on a little bit of a positive note, 
and to use but one tiny but important example of how working 
with the CFPB has helped people, according to current law — I hope 
I say this accurately in its entirety — if you are a member of the 
service and you produce your orders with a stipulated end date, 
you are exempt from your student loan rate rising above a certain 
level while you are on active-duty service. 

Because of a peculiarity in the law, if you are an officer, your or- 
ders don’t carry a stipulated end date. And as a consequence, we 
have all manner of 22-year-old ROTC graduates about to get ham- 
mered by high student loan interest rates. 

Our office, working with the Bureau, through their efforts, iden- 
tified this as a problem, and there was an amendment added to the 
National Defense Authorization Act which corrected this, and that 
could not have occurred, sir, without the work of your agency fer- 
reting that out, identifying it, working it with the lenders, and with 
our office to amend the bill so that we can correct this going for- 
ward. Just a tiny example of where people have been helped and 
protected because of the work of your Servicemember Affairs Office. 
And I thank you for that, as well. 

Mr. Antonakes. Thank you. Congressman. Holly Petraeus and 
our entire Office of Servicemember Affairs do a tremendous job. 
Congress really appropriately identified in Dodd-Frank the special 
needs of servicemembers and how they have, on occasion in the 
past, been taken advantage of So the work they do is critically im- 
portant. Thank you. 

Mr. Heck. Thank you. 

I yield back the balance of my time. 

Chairwoman Capito. Thank you. I would like to thank the wit- 
ness. I would also like to just review that we have a request for 
information from follow up from the CFPB, specifically, I think, on 
the numbers of records more specific. 

Also, I would like to add to that, if you could, the categories of 
PIT that you have been collecting in the supervisory — I am not sure 
we got that definitively answered, and I think that would help the 
committee. 

So I would like to thank — 

Mrs. Maloney. What categories in general are they collecting? 

Chairwoman Capito. Yes, what categories in general of the PIT. 
And if you could submit that to me, too, I know some of the other 
Members, like Mr. Duffy and others, had asked for specific infor- 
mation. And thank you for indulging us a second round. I appre- 
ciate that. 
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The Chair notes that some Members may have additional ques- 
tions for this witness, which they may wish to submit in writing. 
Without objection, the hearing record will remain open for 5 legis- 
lative days for Members to submit written questions to this witness 
and to place his responses in the record. Also, without objection. 
Members will have 5 legislative days to submit extraneous mate- 
rials to the Chair for inclusion in the record. 

And without objection, the hearing is adjourned. Thank you very 
much. 

[Whereupon, at 12:27 p.m., the hearing was adjourned.] 
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Chairman Capita, Ranking Member Meeks, and Members of the Subcommittee, thank you for 
the opportunity to provide testimony today about the fundamental importance of data analysis to 
the mission of the Consumer Financial Protection Bureau (the Bureau). The Bureau is a data 
driven agency, because Congress recognized that the Bureau cannot do its job of protecting 
consumers and honest businesses unless it understands the consumer financial markets it 
oversees. 

My name is Steven Antonakes, and I serve as the Acting Deputy Director of the Bureau. 1 joined 
the Bureau in November 2010 as the Assistant Director for Large Bank Supervision and was 
named the Associate Director for Supervision, Enforcement, and Fair Lending in June 2012. I 
began my professional career as an entry level bank examiner with the Commonwealth of 
Massachusetts Division of Banks in 1990 and served in numerous managerial capacities before 
being appointed by successive Governors to serve as the Commissioner of Banks from 
December 2003 until November 2010. 

Congress created the Consumer Financial Protection Bureau in order to ensure that consumers 
have access to markets for consumer financial products and services, and that those markets are 
fair, transparent, and competitive. 

In carrying out its congressionally mandated supervisory, enforcement, and regulatory functions, 
the Bureau relies on rigorous empirical analysis - grounded in data - about how the markets for 
consumer financial products and services actually work. Data analysis is also fundamental to 
fulfilling our mandate to protect consumers. Analysis of data, as the law creating the Bureau 
prescribed, enables the Bureau to not only better protect and educate consumers, but it also 
enables the Bureau to coordinate with other regulators and craft tailored rules based on a careful 
examination of costs and benefits. The Bureau’s evaluation of this data also allows it to provide 
meaningful reports, as required by Congress, and to perform its consumer response function. 

In Fiscal Year 2012, the Bureau spent $7,129,460 on obtaining data to support its mission. To 
place this in context, this comprised 2.4 percent of the Bureau’s total budget. To date, the 
Bureau’s Fiscal Year 2013 data procurements total $3,169,300 or 0.6 percent of the total budget. 
The Bureau makes information about its non-government data vendors publicly available on 
USASpending.gov. 

The Bureau makes every effort to obtain market data in an efficient manner with an eye toward 
reducing the burden and cost on industry. The Bureau also makes every effort to safeguard and 
protect the information that it does obtain. The Bureau collects and studies data in order to 
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protect consumers throughout the United States in accordance with its statutory mandate, not to 
study any particular individuals. 


* * * 

As the events leading up to the financial crisis illustrate, all regulators must have timely and 
accurate information about the markets they oversee. Information is essential to properly 
supervise market participants, regulate markets, protect consumers and honest businesses from 
unscrupulous activities, and ensure the stability of the financial system and of the economy 
generally. Simply put, no agency can effectively supervise that which it does not understand. 

For example, the financial crisis showed that the lack of a comprehensive source for mortgage 
loan information - from origination through servicing - was a barrier to regulators’ ability to 
understand the market, foresee emerging risks, and ensure consumers were protected. For that 
reason, the Bureau, in partnership with the Federal Housing Finance Agency, is creating the 
National Mortgage Database. This database will help to fill the information gap with loan-level 
data of a random and representative sample of mortgages. The sample is being drawn from 
comraercially-available data. The Database will not contain personal identifiers such as names 
or social security numbers, and the agencies will implement safeguards against potential re- 
identification of individual borrowers. By populating the database with information that already 
exists, the agencies have sought to reduce any burdens imposed on market participants. 
Additionally, the database is intended to provide a foundation for satisfying the obligation that 
the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the Dodd-Frank Act) 
placed upon the Bureau, in collaboration with the Department of Housing and Urban 
Development, to build and make publicly available a default and foreclosures database. 

The Bureau’s focus on empirical analysis to protect consumers is not merely good policy; it is a 
central theme of the Dodd-Frank Act. Congress specified one of the Bureau’s primary functions 
as “collecting, researching, monitoring, and publishing information relevant to the functioning of 
markets for consumer financial products and services to identify risks to consumers and the 
proper functioning of such markets.”' To support this function. Congress directed the 
establishment of an Office of Research at the Bureau “whose functions shall include researching, 
analyzing, and reporting on” the markets for consumer financial products or services."' More 
broadly. Congress directed the Bureau, “in order to support its rulemaking and other functions,” 
to “monitor for risks to consumers in the offering or provision of consumer financial products or 
services, including developments in markets for such products or services.”^ 

Another important consumer protection activity that the Dodd-Frank Act prescribed is the 
supervision of certain institutions participating in the markets for consumer financial products 
and services.'' The Dodd-Frank Act authorizes the Bureau to require reports and conduct 
examinations of institutions in order to assess their compliance with Federal consumer financial 


' See 12 U.S.C. 5511(c)(3). 
\Seel2U.S.C. 5493(b)(1). 
’Seel2U.S.C. 5512(c)(1). 
‘'See 12U.S.C. 55U(c)(4). 
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laws, to obtain information about their compliance programs and activities, and to detect and 
assess risks to consumers and to the markets for consumer financial products and services.^ The 
Bureau is committed to empirically grounded analysis, and it is the Bureau’s practice to reduce 
burden on supervised institutions by utilizing when possible publicly available information, 
information obtained from other regulators, and information initially obtained or generated by 
other parts of the Bureau, 

In mandating that the Bureau monitor the markets for consumer financial products or services. 
Congress granted the Bureau “the authority to gather information from time to time regarding the 
organization, business conduct, markets, and activities of covered persons and service 
providers,” directed the Bureau to gather such information from a variety of sources, and 
expressly authorized the Bureau to utilize information initially collected for other purposes, such 
as consumer complaints or confidential supervisory information.* When the Bureau uses 
information collected for other regulatory purposes to perform its market monitoring functions, it 
first strips the information of personal identifiers and then performs aggregate analysis on that 
market data, rather than focusing on any individual. 

Although the Bureau does not analyze data containing personal identifiers when performing its 
market monitoring function, access to such data is sometimes necessary for the Bureau to fulfill 
its broader mission to protect consumers. For example, the Bureau will use data obtained 
through its supervisory authority to ensure restitution of approximately $6.5 million to close to 
50,000 .servicemembers harmed by violations of Federal consumer financial law. Additionally, 
through the collection of complaint data, the Bureau has highlighted the problems that 
servicemembers, in particular, face as consumers. For instance, the Bureau has helped individual 
servicemembers with permanent change of station orders resolve issues with mortgage servicers, 
and has issued a report detailing the types of issues faced by servicemembers, based on 
complaint data submitted to the Bureau’s Consumer Response Division. 

In several contexts, firms as well as individuals have voluntarily submitted data that the Bureau 
requested in order to fulfill its statutory mandates. For example in February, the Bureau asked 
the public to provide input on potential policy options to tackle the problem of unmanageable 
student debt. The Bureau received more than 28,000 responses from experts and individuals 
impacted by student debt. In May, the Bureau published a report on student loan affordability 
that discusses what the Bureau learned from the public about potential solutions for the market. 
The report concluded that unmanageable student loan debt can significantly limit the financial 
choices of individual Americans and, in the aggregate, could negatively affect the broader 
economy and society 


♦ * * 

To identify risks to consumers, the Dodd-Frank Act authorizes the Bureau to collect information 
from “a variety of sources” including consumer complaints, examination reports, and “available 


’ See 12 U.S.C. 5514{b)(l), 5515(b){l). 

’’Seel! U.S.C. 55 12(c)(4)(A) and (B)(i); see also 12 U.S.C. 5493(b)(3) (directing the Bureau to share consumer 
complaint data to facilitate market monitoring). 
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databases.”’ In accordance with these provisions, when the Bureau performs its market 
monitoring function, it seeks to rely, to the greatest extent possible, on information already in its 
possession, information in the possession of its fellow regulators, and information already 
aggregated in available databases. This practice serves to reduce any burden associated with 
institutions’ production of data by relieving them of the obligation to provide the same 
information twice for two different purposes. The Bureau is always cognizant of the potential 
burdens on industry and has worked with supervised institutions eollaboratively to attempt to 
reduce any burden associated with Bureau requests for information. 

The Bureau has also avoided creating burdens on industry by acquiring data from third parties 
when possible. For example, the Bureau obtained through a third party about 10 years of de- 
identified credit record data representing approximately 4 percent of consumers. The Bureau 
uses this information to perform independent analyses and reach independent conclusions with 
respect to risks to consumers and to markets. The Federal Reserve Bank of New York has been 
purchasing similar data for years, which it uses to prepare its widely quoted Quarterly Report on 
Household Debit and Credit. Other regulators collect similar information from market 
participants, and the Bureau makes conscious efforts to avoid duplicative requests and to share 
information with other regulators. 

Congress recognized, however, that in certain instances these available information sources may 
be insufficient, and it thus expressly authorized the Bureau to collect information directly from 
consumers through voluntary “surveys” and “interviews.”* For example, the Bureau recently 
requested authorization from the Office of Management and Budget to conduct a nationwide 
telephone survey of 1 ,000 credit card holders as part of its statutori ly-mandated study of 
mandatory pre-dispute arbitration agreements.^ It also authorized the Bureau to require covered 
persons and service providers to provide “information . . . necessary for the Bureau to fulfill the 
monitoring, assessment, and reporting responsibilities imposed by Congress,” provided the 
Bureau does not do so “for purposes of gathering or analyzing the personally identifiable 
financial information of consumers, As noted above, when the Bureau collects and analyzes 
data to perform its market monitoring function, it is interested in the way that consumers in the 
aggregate interact with the consumer financial markets, and not in the interaction of a particular 
individual with the markets. Accordingly, it does not analyze data that contains personal 
identifiers. 

In all of these ways provided by Congress, the Bureau is authorized and directed to rely on 
consumer financial marketplace data for many of its functions. It is important to emphasize that, 
in collecting data as Congress authorizes and directs the Bureau to do, the Bureau’s sole interests 
and intentions are to understand the market for consumer financial products and services, to 
assess the conduct of providers of such products and services, and to inform, educate, and protect 
consumers of such products and services. 


^ Id 

* i2U.S.C.55l2(c)(4)(B)(i). 

’ See 78 Fed. Reg. 34352 (June 7, 2013). 
12 U.S.C. 5512(c)(4)(B){ii), (C). 
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Moreover, the Bureau is committed to ensuring protections for consumers’ personal privacy. 

The Bureau stores and protects personally identifiable information, along with other confidential 
information and data, according to information security requirements that comply with 
applicable Federal laws and regulations.” The Bureau publishes a privacy policy on its website 
that sets forth privacy principles and steps that it takes to protect consumers’ personal privacy. 
These principles include minimizing the Bureau’s collection of personal information, informing 
consumers about how and why the Bureau collects and uses information about them, and training 
the Bureau’s employees and holding them accountable for their treatment of personal 
information. 

The Bureau has also issued regulations that limit the circumstances in which it may disseminate 
internally, share with other agencies, or disclose to the public confidential information, including 
consumers’ personal information. Internal dissemination of confidential information is limited to 
those employees for whom such information is relevant to the performance of their duties. 
External dissemination is strictly limited.” The Bureau’s rules permit the disclosure of materials 
derived from confidential information (for example, in reports to Congress), but only “to the 
extent that such materials do not identify, either directly or indirectly, any particular person to 
whom the confidential information pertains.”” 

♦ * * 

A deep and thorough understanding of the consumer financial marketplace is essential to 
accomplish the Bureau’s mission, and that, understanding must be based on data. Without 
adequate data, the Bureau could not fulfill its critical statutory mandates to protect consumers, 
monitor the consumer financial marketplace for risks, provide reports to Congress, and consider 
the potential benefits and costs to both consumers and market participants when proposing 
regulations. The Bureau has always sought to fulfill its statutory duties while respecting 
individuals’ personal privacy and imposing the least possible burden on market participants. 

Chairman Capita, Ranking Member Meeks, and Members of the Subcommittee, thank you again 
for this opportunity to appear before you today. I will be happy to answer your questions. 


" See, e.g., the Federal Information Security Act of 2002, 44 U.S.C. 3541, el the Privacy Act of 1974, 5 U.S.C. 
552a. 

'-See 12 CFR 1070.41(a). 

” See 12 CFR 1070.41(c). 
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July 8, 2013 

The Honorable Shelley Moore Capito 
Chairman 

Subcommittee on Financial Institutions 
and Consumer Ciedit 
House Financial Services Committee 
United States House of Representatives 
Washington, D,C. 205 1 5 


The Honorable Gregory Meeks 
Ranking Member 

Subcommittee on Financial Institutions 
and Consumer Credit 
House Financial Services Committee 
United States House of Representatives 
Washington, D.C. 205 1 5 


Rc: “Examining How the Consumer Financial Protection Bureau Collects and Uses 
Consumer Data” 

Dear Chairman Capito and Ranking Member Meeks: 

On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade 
association that exclusively represents tlie interests of our nation’s federal credit unions, I write 
today in conjunction with tomorrow’s hearing, “Examining How the Consumer Financial 
Protection Bureau Collects and Uses Consumer Data.” NAFCU member credit unions and their 
96 million member-owners appreciate the subcommittee’s continued focus on this common 
sense issue as the mishandling of sensitive infoimation could have a devastating impact on both 
consumers and financial service providers. 


As you know, the Consumer Financial Protection Bureau (CFPB) has broad authority to collect 
information from credit unions from a variety of sources including exam reports and consumer 
complaints. As the CFPB works to meet requirements outlined in the Dodd-Frank Wall Street 
Reform and Consumer Protection Act [P.L. 111-203], NAFCU has consistently cautioned that 
data collection efforts must include several layers of protection to ensure that sensitive 
information is not compromised. Specifically, NAFCU has expressed concern about the 
response intake fields on the CFPB’s consumer complaint form and has asked that the Bureau 
outline implementing procedures to ensure that employees handle this information with care. In 
an effort to minimize the potential for problems, NAFCU believes tlie CFPB should start by 
simply minimizing the breadth and scope of the personal information requested. NAFCU has 
also expressed similai- concerns to the Treasury Department as it creates a records system for the 
CFPB. Unfortunately, the CFPB has not done enough to wane our concerns. In fact, the CFPB’s 
inspector general recently found “weaknesses” in the agency’s security program and the 
Government Accountability Office has similarly expressed concerns about data security. 


NAFCU 1 Your Direct Connection to Education, Advocacy & Advancement 
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In short, unfortunately the federal government, much like several private sector industries, has 
been responsible for the unauthorized release of sensitive personal information in the past. 
Certainly, nobody intends to be a victim of data breach or theft; nonetheless the government, 
including the CFPB, needs to do everything possible to ensure that great care is taken in handling 
this information. With a constantly shifting regulatory environment driven by an inordinate 
amount of new rule writing, the last tiring credit unions should have to worry about is the 
personal information of their member-owners being lost or stolen at the hands of the 
government. Credit unions have strict privacy procedures they must follow and the CFPB should 
also be held to stringent standards. We also believe the CFPB should consider risks associated 
with credit unions’ well-earned reputation as entities that protect their members’ interests. 
Accordingly, NAFCU looks forward to tomorrow’s hearing and learning more about the CFPB’s 
prudence in this regard. 

As the subcommittee examines these issues at the CFPB, we would urge members to also keep in 
mind the general need for better data security standards for those who handle persoiial financial 
data, as many of those entities are not subject to the same standards that financial institutions ar e. 
NAFCU communicated the need for greater data security standards to you as part of our five- 
point plan for regulatory relief that was shared with the House Financial Services Committee on 
February 12*'’ of this year-. 

Thank you for holding this important hearing and for providing us with the opportunity to 
express our views. If you have any questions or would like further information about any of 
these issues, please do not hesitate to contact me or NAFCU’s Vice President of Legislative 
Affairs Brad Thaler by telephone at (703) 842-2204 or by e-mail at bthaler@nafcu.org . 


Sincerely, 

B. Dan Berger 

Executive Vice President, Government Affairs 


cc: 


Members of the Subcommittee on Financial Institutions and Consumer Credit 
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Committee on Financial Services 
Subcommittee on Financial Institutions and Consumer Credit 
Examining the Consumer Financial Protection Bureau’s 
Collection and Use of Consumer Data 
July 9, 2013 

QUESTIONS FROM CHAIRMAN SHELLEY MOORE CAPITO 
AND VICE CHAIRMAN SEAN DUFFY 


Capito/Dui-fv 1. 

How many U.S. consumer accounts is the CFPB monitoring as part of its data coliection 
activities? 


Response 

The Consumer Financial Protection Bureau (Bureau) does not monitor the accounts of particular 
consumers and does not track the financial habits or activities of any individual consumer. 
Instead, in the normal course of carrying out its statutory mandate to protect consumers, ensure 
regulatory compliance, and monitor the financial services and products markets for risks to 
consumers, the Bureau collects information about accounts from consumers who seek the 
Bureau’s help through the consumer response function and from the institution involved in the 
complaint. The Bureau also collects information from covered persons who are the subject of 
supervisory examinations or enforcement activity, as well as from whistleblowers and third 
parties who may have information relevant to an enforcement action. 

In addition, the Bureau performs market monitoring activities, which involve the analysis of 
market trends and risks to consumers based upon aggregating and analyzing account information 
stripped of direct or personal identifiers. Specifically, the Bureau’s market monitoring activities 
include; 

The Bureau has procured from a national credit reporting agency (CRA) credit information, 
stripped of direct or personal identifiers, with respect to a random and representative sample of 
consumers with a credit report. For the records comprising this Consumer Credit Panel (CCP), 
the Bureau receives the information in the CRA’s database with respect to all accounts 
associated with the record. The CCP records cover approximately a 4% sample of credit 
reporting agency records. The CCP is similar to panels that the Federal Reserve Board of 
Governors and the Federal Reserve Bank of New York each have maintained for several years. 

The Bureau is partnering with the Federal Housing Finance Agency (FHFA) to construct the 
National Mortgage Database (NMDB). For this database, the FHFA and Bureau have procured 
from a CRA credit information with respect to a random and representative sample of 5% of 
mortgages held by consumers. This credit information, like the data in the CCP, does not 
include direct or personal identifiers for individual consumers. The Bureau receives the 
infonnation in the CRA’s database with respect to all accounts associated with the record. The 
Bureau cannot directly link data in the CCP with data in the NMDB and thus does not know 
whether any of the records are common to the two databases. The Bureau also procures 


Page 1 of 49 
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commercialiy-available mortgage data from CoreLogic and BlackBox Logic that, like the CCP 
and NMDB, does not contain personal identifying information directly linked to individual 
consumers. 

In the exercise of its supervisory authority the Bureau is obtaining data stripped of direct or 
personal identifiers with respect to all credit card accounts maintained by a number of large card 
issuers. This data is collected and housed on behalf of the Bureau by Argus Information and 
Advisory Services, a company that is in the business of obtaining account-level data for credit 
cards and other financial services from financial services companies. The data being provided to 
the Bureau are the same type of data that credit card issuers regularly provide to Argus, such as 
the monthly balance, fees charges, interest charged, and payments received on accounts. The 
data the Bureau receives does not include transactions, such as purchases. Through a 
Memorandum of Understanding, the Bureau is also able to access data that is collected by a 
partner prudential regulator from an additional set of credit card issuers. The combined data 
represent approximately 85-90% of the outstanding card balances. None of the foregoing credit 
card data contain information that directly identifies individuals. 

Capito/Duffv 2. 

How many American citizens hold these accounts? 

Response 

As discussed in the response to question 1, the Consumer Financial Protection Bureau (Bureau) 
does not monitor the accounts of particular consumers and does not track the financial habits or 
activities of any individual consumer. Instead, in the normal course of carrying out its statutory 
mandate to protect consumers, ensure regulatory compliance, and monitor the financial services 
and products markets for risks to consumers, the Bureau collects information about accounts 
from consurners who seek the Bureau’s help through the consumer response function and from 
covered persons who are the subject of supervisory examinations or enforcement activity, as well 
as from whistleblowers and third parties who may have information relevant to an enforcement 
action. Additionally, the Bureau performs market monitoring activities that involve analysis of 
account information stripped of direct or personal identifiers. These activities are described in 
response to question 1. Without direct or personal identifiers, the Bureau cannot link these 
records to individual consumers. As a result, the Bureau cannot determine the number of 
citizens with respect to which data is being collected. 

CAPfl’O/Dlf-'FY 3, 

How many data fields are the CFPB collecting per account? 

Response 

There is no single system of consolidated data maintained by the Consumer Financial Protection 
Bureau (Bureau). The data fields contained in any particular database utilized by the Bureau 
vary depending on the purpose for which the data within it is gathered. As noted in response to 
question I , the Consumer Credit Panel contains fields collected by the credit reporting agency 
from which this data is being purchased, excluding fields that contain information identifying 
individual consumers (e.g., name, address, or social security number) or individual creditors. 

The National Mortgage Database (NMDB) will contain those fields, plus additional fields that 
are obtained by matching the records in the NMDB with other mortgage-related data, such as 
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data reported pursuant to the Home Mortgage and Disclosure Act. With respect to the credit card 
database, the fields are listed in the Request for Proposals that the Bureau issued and which can 
be accessed at 

https://wmv.fbo.gov/index?s=opportunity&mode=form&tab=core&id=6lf9e255acb3ac044freb4 

aelOcbecOO. 

In addition to these databases, the Office of Enforcement has received evidence and information 
from consumers, financial service providers, third-party entities, and other government agencies. 
This data is generally provided in unstructured form without searchable data fields. The Bureau 
is also authorized to gather information from institutions it supervises in order to assess 
compliance with the requirements of Federal consumer financial law, obtain information about 
the institutions’ activities and compliance systems or procedures, and detect and assess risk to 
consumers and to consumer financial markets. The type, amount, and format of information 
requested varies depending on which regulatory requirements are under review’. 

CAFIT0/DUI'FV4. 

What types of information do these fields include? 

Response 

Please see the response to question I . 

C.4PJTO/Dljl-r'V 5. 

How many data fields does the CFPB’s contract with Argus information and Advisory Services 
specify should be collected and retained? 

Response 

Please see the response to question 3. 

C.-\l>iTO/,Dl!Fl'"V 6. 

Will you provide this Committee with each of the complete contracts that the CFPB has entered 
into with private entities for purposes of data collection, analysis, and storage? If so, please 
provide these contracts along with your responses to these questions. If not, please explain why 
the CFPB will not do so. 

Response 

Attached are contract copies (and modifications). Contracts are limited to those that involve the 
purchase, collection, analysis, and storage of relevant data, 

• Argus Information and Advisory Services LLC (5 attachments) 

• Blackbox Logic LLC (7 attachments) 

• Brattle Group Inc. (5 attachments) 

• Clarity Services Inc. (4 attachments) 

• CLC Compliance Technologies Inc. (6 attachments) 

• CoreLogic Information Solutions Inc. (4 attachments) 

• Deloitte Consulting LLP (1 attachment for contract number CFP-I2-D-00006) 

• Deloitte Consulting LLP (5 attachments for contract number TPD-CFP-1 2-C-0008) 
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• Experian (4 attachments) 

• Fors Marsh Group LLC (7 attachments) 

• PriceWaterhouseCoopers LLP (2 attachments) 

that may contain trade 
The companies should 
possible competitive 

ATTACHMENT: Contract Copies 


Please be aware that the documents provided are contractual documents 
secrets and/or proprietary or confidential information of private entities, 
be consulted before any of this information is released publicly to avoid 
harm to these private parties. 


CAFlTO/DliFFt 7. 

How many memoranda of understanding (MOUs) has the CFPB signed with federal, state, and 
local governmental entities regarding the collection and sharing of data? 

Response 

The Consumer Financial Protection Bureau (Bureau) Office of Consumer Response has 
agreements to share consumer complaint data with 25 state and federal agencies. 

in addition, the Bureau has signed MOUs with the Conference of State Bank Supervisors and 
other signatories from all 50 states plus Puerto Rico and the District of Columbia designed to 
preserve the confidentiality of any supervisory information shared between the parties or related 
to the operation of the Nationwide Mortgage Licensing System and the Mortgage Call Report. 

The Bureau has also signed approximately 40 other MOUs with federal, state, and local 
governmental entities regarding the potential sharing of data and/or the treatment of shared data. 

C.APlTO/DliFFY 8. 

Has the CFPB signed MOUs with any federal financial prudential regulators? Which ones? 
Response 

The Consumer Financial Protection Bureau has signed MOUs with each federal financial 
prudential regulator, including the Board of Governors of the Federal Reserve System, the 
Federal Deposition Insurance Corporation, the National Credit Union Administration, and the 
Office of the Comptroller of the Currency. 

C,\pito/Di:ffv 9. 

How many MOUs has the CFPB signed with foreign governmental entities? 

Response 

The Consumer Financial Protection Bureau does not have MOUs with any foreign governmental 
entities. 
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Caph'O/Di^ffy iO, 

How many MOUs has the CFPB signed with foreign non-governmental entities? 

Response 

The Bureau does not have MOUs with any foreign non-governmental entities. 

Capito/Duffy 11. 

Will you provide this Committee with copies of any and all such MOUs that the CFPB has 
entered into with any entity regarding the collection and sharing of data? If so, please provide 
these MOUs along with your responses to these questions. If not, please explain why the CFPB 
will not do so. 

Response 

The Consumer Financial Protection Bureau (Bureau) will provide the Committee with copies of 
MOUs that the Bureau has entered into with other governmental entities regarding the collection 
and/or sharing of data, with the exception of MOUs that contain nonpublic information, such as 
confidential supervisory information or other sensitive information of other governmental 
entities. 

CD ATTACHMENT. 


C,Ai>rro/Dijri''v 12. 

Has the CFPB issued orders to any company requesting data or other information that has been 
used by the agency in any way to inform or augment its market monitoring efforts? If so, has it 
made these orders available to the public? 

Response 

The Consumer Financial Protection Bureau (Bureau) recently issued a number of similar orders 
pursuant to its authority under section 1022(c)(4)(B)(ii) of the Dodd-Frank Wall Street Reform 
and Consumer Protection Act (Dodd-Frank Act) seeking standard form consumer credit 
agreements from a number of covered persons. The information the Bureau will collect is 
intended to assist the Bureau as it works to complete the study mandated by section 1028(a) of 
the Dodd-Frank Act. These orders have not been published by the Bureau. 

C,APITO/l>l,il'TV 13. 

If the CFPB has requested data or other information from companies for its market monitoring 
efforts, but such requests have constituted an order, in what form have these requests been made? 

Response 

The Consumer Financial Protection Bureau’s (Bureau) recent orders seeking standard form 
consumer credit agreements were in the form of short orders setting forth the purpose of the 
request, the authority for the request, instructions for complying with the request, and contact 
infonnation to perniit recipients to follow-up with the Bureau with any questions. 
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Capi ro/Di'FFV 14. 

From which private companies and governmental agencies has the CFPB requested data? What 
is the scope of those data requests and how frequently do the entities provide the CFPB with the 
requested data? Please provide a complete answer for each such company and agency. 

Response 

The Consumer Financial Protection Bureau (Bureau) has purchased commercially available data 
from Experian that is updated quarterly; data from CoreLogic and BlackBox Logic that is 
updated monthly, and data, as a one-time purchase, from Clarity. None of these data contain 
direct or personal identifiers. 

As noted in responses to questions 7 and 8, the Bureau has also requested data from other 
agencies with which it has MOUs. For example, the Bureau received data from the Federal 
Flousing Finance Agency regarding mortgage loans to aid in the Bureau’s development of its 
recent mortgage rules. In each instance, the data requested and received did not contain direct or 
personal identifiers. 

In the course of its supervisory activities and enforcement activities, the Bureau has requested 
data from companies that are either subject to its supervision or subject to its enforcement 
jurisdiction. While most of these have been one-time requests, some may recur annually. The 
Bureau has also sought, one time, standard form consumer credit agreements pursuant to the 
Dodd-Frank Wall Street Reform and Consumer Protection Act 1 022(c)(4)(B)(ii). Because the 
supervisory and investigatory processes depend upon confidentiality, the Bureau does not 
disclose the names of the companies to which it makes supervisory or investigatory requests. 

Some companies have voluntarily submitted data to the Bureau under a pledge of confidentiality. 
The Bureau’s ability to obtain data voluntarily would be severely compromised if the Bureau 
were to breaeh its confidentiality pledge and reveal the identity of those eompanies. These have 
been one-time submissions. In each instance, the data requested and received did not contain 
direct or personal identifiers. 

CaI>1TO/DI!FF\' 15. 

News reports indicate that the CFPB is collecting consumer financial data on credit cards, credit 
card add-on products, overdraft fees, payday loans, and mortgages. Are these reports accurate? 
Are there any other areas in which the CFPB is collecting consumer financial data? 

Response 

The response to question I identifies instances in which the Consumer Financial Protection 
Bureau (Bureau) is obtaining data on an ongoing basis. 

In each supervisory examination that the Bureau conducts, it obtains financial data relevant to 
that exam. For what product the Bureau obtains information would depend on the scope of a 
particular examination. 
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In the course of preparing reports to Congress as mandated by the Dodd-Frank Wall Street 
Reform and Consumer Protection Act, the Bureau has obtained information on a voluntary basis 
from a number of student lenders, a credit reporting agency, and a remittance transfer provider. 
In each case, the data did not contain any direct or personal identifiers. 

In the course of investigating potential violations of Federal consumer financial laws, the Office 
of Enforcement obtains information relating to consumers in various segments of the financial 
services industry and uses that information to enforce compliance with the law and to obtain 
restitution and other forms of relief for consumers. For example, the Bureau has obtained 
consent orders requiring restitution be provided to servicemembers who were misled when 
taking out loans. The Bureau has also obtained court-ordered restitution for victims of 
foreclosure relief scams in two separate federal court judgments. 

The Bureau’s response to consumer complaints also may involve collection of consumer 
financial information needed to process complaints accurately. The information the Bureau 
collects to process any consumer complaint would depend upon the nature of the problems 
experienced by the individual consumer. 


C.vmo/DiT'FY 16. 

News reports indicate that the CFPB is assigning an identifier to each individual and requiring 
that all data providers use this identifier for each individual when submitting their data. Is this 
true? Please explain fully how the CFPB is using personal identifiers in its data collection 
activities. 

Response 

The Consumer Financial Protection Bureau (Bureau) does not assign an identifier and does not 
require all data providers to use this identifier. The Bureau has published System of Records 
Notices (SORNs) for any data for which personally identifiable information is retrieved by direct 
or personal identifiers. With respect to the SORN for Market and Consumer Research Records, 
the Bureau proactively published a notice that described a range of potential data collections and 
uses, however none of the data collected by the Bureau to date for market monitoring purposes 
have in fact contained direct or personal identifiers. The Bureau’s SORNs are available at 
http://www.consumerfinance.gov/privacy-office. 

CAi'iiO/DliFKV 17, 

Why docs the CFPB need to track the financial habits of an individual consumer? 

Response 

The Consumer Financial Protection Bureau (Bureau) does not track the financial habits of any 
individual consumer. 

In carrying out its congressionally mandated supervisory, enforcement, and regulatory functions, 
the Bureau relies on rigorous empirical analysis - grounded in data - to evaluate how the 
markets for consumer financial products and services actually work. Data analysis is also 
fundamental to fulfilling our mandate to protect consumers. Analysis of data, as the law creating 
the Bureau contemplated, enables the Bureau not only to better protect and educate consumers, 
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but also to coordinate with other regulators and craft tailored rules based on careful examination 
of costs and benefits. The Bureau’s evaluation of this data also allows it to provide meaningful 
reports, as required by Congress, and to perform its consumer response function, 

C.yFlTO.-'Ol.’FFV 18. 

Does the CFPB monitor any financial transactions attlie individual level? 

Response 

The Consumer Financial Protection Bureau does not monitor any individual’s financial 
transactions. 

C.vpn'o/DiJi'FV 19. 

Are any of the CFPB’s databases or IT systems capable of monitoring financial transactions at 
the individual level? Can any CFPB database retrieve financial information by individual 
identifier? 


Response 

The Consumer Financial Protection Bureau (Bureau) does not monitor individuals’ financial 
transactions. Please see responses to questions 1 and 3 for explanation of the types of 
information the Bureau collects and the purposes for that collection, including supervisory and 
investigatory information and information obtained from financial institutions in the resolution 
of consumer complaints, some of which contains personally identifiable financial information. 
The Bureau has published System of Records Notices (SORNs) for any data for which 
personally identifiable information is retrieved by direct or personal identifiers. With respect to 
the SORN for Market and Consumer Research Records, the Bureau proactively published a 
notice that described a range of potential data collections and uses, however none of the data 
collected by the Bureau to date for market monitoring purposes have in fact contained direct or 
personal identifiers. The Bureau’s SORNs are available at 
http://www.consumerfinance.gov/privacy-office. 


Capito/Duffv 20. 

How does the CFPB track or match its records with multiple datasets? 

Response 

There are limited cases where the Consumer Financial Protection Bureau (Bureau) matches 
records with multiple datasets. The Bureau may obtain updates or supplements to a dataset and, 
in those circumstances, may use record locators unique to the entity providing the update in order 
to update or supplement the individual records. For example, with respect to the Consumer 
Credit Panel and the National Mortgage Database, the credit reporting agency that supplies that 
data provides a unique record locator with respect to each record that enables the providers to 
update the database on a quarterly basis. With respect to the credit card database, each 
individual issuer that supplies data includes a unique record locator with respect to each account 
that enables the provider to update the database on a monthly basis. These record locators do not 
enable the Bureau to link these records to the identity of individual consumers or to records 
supplied to the Bureau by other entities. 


Page 8 of 49 



67 


With respect to the credit card database, issuers provide data, on a quarterly basis, directly to a 
national credit reporting agency (CRA) and provide to that CRA an identifier which enables the 
CRA to append to the record data maintained by the CRA. However, in this case, the Bureau 
does not do the match, the identifier is not transmitted to the Bureau, and the Bureau does not 
identify the account holder for any account in the database. 

In some other instances, the Bureau may match records based on fields such as geography and 
without the use of direct or personal identifiers. This was done for example when developing the 
data needed to inform the Title XIV rulemakings. 

CAPITO/Dlif'f'Y 21. 

How does the CFPB define “personally identifiable financial information?” 

Response 

Pursuant to the Gramm-Leach-Bliley Act, the Consumer Financial Protection Bureau (Bureau) 
defines “personally identifiable financial information” by regulation as follows: 

(q)(l) Personally identifiable financial information means any information; 

(1) A consumer provides to you to obtain a financial product or service 
from you; 

(ii) About a consumer resulting from any transaction involving a financial 
product or service between you and a consumer; or 

(iii) You otherwise obtain about a consumer in connection with providing 
a financial product or service to that consumer. 

* * * 

(2) Information not included. Personally identifiable financial 
information does not include; .... 

(B) Information that does not identify a consumer, such as aggregate 
information or blind data that does not contain personal identifiers such as 
account numbers, names, or addresses. 

The remainder of the definition provides examples. The complete definition can be found at 12 
C.F.R. §1016.3(q), along with interrelated terms. 

C.\PITO/»tlFFV 22. 

Will the CFPB commit to writing a rule to define the phrase “personally identifiable financial 
information?” 

Response 

Please see response to question 21. The Consumer Financial Protection Bureau (Bureau) issued 
an interim final rule defining the phrase “personally identifiable financial information,” pursuant 
to the Gramm-Leach-Bliley Act privacy provisions, consistent with the definitions of that term 
that other agencies had used in prior rules. See 76 Fed. Reg. 79025, 79032 (December 21, 2011) 
(promulgating 12 C.F.R. §1016.3(q)). That Bureau definition has been in effect since December 

30 , 201 r. 
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CAmo/DuFF'v 23. 

If not, will the CFPB commit to seeking public input and comment about the meaning of this 
undefined term? 

Response 

Please see responses to questions 21 and 22. When the Consumer Financial Protection Bureau 
(Bureau) published its interim final rule defining the phrase “personally identifiable financial 
infonnation” pursuant to the Gramm-Leach-Bliley Act, it solicited comment. The comment 
period ended February 21 , 2012. The Bureau intends to issue a final rule by the end of 2013. 


CAPiTO/DliFFy 24. 

What kind of personal information constitutes “personally identifiable financial information”? 
Does a person’s name? Does a personal identification number such as an SSN? Does address 
information? Flow about a ZlP+4? Telephone numbers? Personal characteristics such as 
pictures or fingerprints? Information identifying personally owned property? Employment 
infonnation? Medical infonnation? Credit score? 

Response 

Please see responses to questions 21 and 22. The Consumer Financial Protection Bureau’s 
definition of “personally identifiable financial information” pursuant to the Gramm-Leach-Bliley 
Act provides examples of information that is and is not included in the definition. The relevant 
portion of the rule reads as follows; 

(2) Examples, (i) Information included. Personally identifiable financial 
information includes: 

(A) Information a consumer provides to you on an application to obtain a 
loan, a credit card, a credit union membership, or other financial product or 
service; 

(B) Account balance information, payment history, overdraft history, and 
credit or debit card purchase information; 

(C) The fact that an individual is or has been one of your customers or has 
obtained a financial product or service from you; 

(D) Any information about your consumer if it is disclosed in a manner 
that indicates that the individual is or has been your consumer; 

(E) Any information that a consumer provides to you or that you or your 
agent otherwise obtain in connection with collecting on, or servicing, a loan or a 
credit account; 

(F) Any information you collect through an internet “cookie” (an 
information collecting device from a Web server); and 

(G) Information from a consumer report. 

(ii) Information not included. Personally identifiable financial information 
does not include: 

(A) A list of names and addresses of customers of an entity that is not a 
financial institution; and 
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(B) Information that does not identify a consumer, such as aggregate 
information or blind data that does not contain personal identifiers such as 
account numbers, names, or addresses. 

CAP1T0/1)1!FFV25. 

What kind of financial information constitutes “personally identifiable financial information”? 

Is any of this information linked or linkable to other information in the CFPB’s database? 

Response 

Please see responses to questions 2 1 and 24. There is no single system of consolidated data 
maintained by the Consumer Financial Protection Bureau. 

Capito/Di: F l'A’ 26. 

Does the CFPB collect any type of “personally identifiable financial information” about any U.S. 
citizen? If so, what types of information does it collect? In what circumstances? For what 
purposes? 

Response 

Please see responses to questions 1 and 3 for explanation of the types and purposes of 
information the Consumer Financial Protection Bureau (Bureau) collects, including supervisory 
and investigatory information and information obtained from financial institutions and 
consumers in the resolution of consumer complaints, some of which contains personally 
identifiable financial information. 


CAPtro/DUFFV 27. 

Do any CFPB contracts or MOUs with any outside entity provide for the collection of personally 
identifiable information? If so, which ones? Plea.se identify any such contract and MOU. 

Response 

The Consumer Financial Protection Bureau (Bureau) has MOUs that relate to the sharing of 
information or the treatment of shared information with federal and state agencies, as discussed 
in response to question 7. 

The Bureau has contracts to accomplish numerous aspects of its statutory mandate to protect 
consumers. Some of the work done under these contracts involves, as a component of carrying 
out our work, the collection of personally identifiable information (Pll). Those contracts include 
the following: 

• Contact Center Services/Consumer Response System Support - Vendor may obtain 
information about a particular consumer to help process a consumer’s complaint. 

• Compliance Analysis Tool, Analytical Services, Support & Training - Vendor receives 
loan portfolio data to support the Bureau’s supervisory function. 
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• Nationwide Mortgage Licensing System and Registry Services - Vendor is tasked with 
ongoing operation, maintenance, technical support, and end user support services which 
involves PH collection. 

• Forms Disclosure Testing & Support Services - Vendor collects PH from consumer 
testing participants. The Bureau does not request nor obtain any of the PIl. 

• Redress and Civil Penalty Fund 3^“* Party Administrator - Vendors may receive and/or 
collect information about hanned indivtduals/consumcrs for the purpose of distributing 
redress funds to these consumers in case-specific matters. 

• Human Resources Support Services - Vendors may be tasked with recruitment support 
which would entail collecting PII of potential job candidates. Vendors may also collect 
or have access to the PII of Bureau employees for workforce planning, data analysis, and 
other related support services. 

• Administration of Benefit Programs - Vendors may collect or handle the PII of Bureau 
employees for purposes of administering benefits, such as flexible spending accounts, 
dental insurance, vision insurance, and long and short tenn disability. 

• Interpreting Services - Vendor provides interpreting services to Bureau employees and 
applicants who request ASL for reasonable accommodation. Vendor receives names of 
those requesting assistance and their physical locations for the event. 

• Equal Employment Opportunity Counseling, Mediation, and Investigation Services - 
Vendors may collect PH through interviews or data collection for use in preparing 
counseling or investigation reports. 

• Consumer Experience Design Services - Vendor collects PII for the screening of 
individuals to be interviewed. This research data is used solely by the vendor. The 
Bureau does not receive this information. 

• Training Services — Vendor collects trainee information. 

• Subscription Setv'ices - Vendor collects user information for purposes of establishing 
accounts/licenses. 


C,\PlTO/Di;i-t Y 28. 

What is the CFPB’s statutory authority for demanding personally identifiable financial 
infonnation from companies? On which .specific provision of the Dodd-Frank Act does the 
CFPB rely? 

Response 

A number of provisions in the Dodd-Frank Wall Street Refonn and Consumer Protection Act, 
among them 12 U.S.C. § 5512(c), 12 U.S.C. § 5514(b), 12 U.S.C. § 5515(b), 12 U.S.C. § 5534, 
and 12 U.S.C. § 5562, authorize the Consumer Financial Protection Bureau (Bureau) to request 
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information. The Bureau’s information-gathering is consistent with these authorities and with 
limitations regarding personally identifiable financial information. 

Capito./Dijffy 29, 

If the CFPB requires that companies provide personally identifiable financial information as part 
of its monitoring activities, doesn’t the Dodd-Frank Act require it to prescribe the form of its 
requests by rule or order? Why has the CFPB not issued a rule governing the form of its data 
requests? 

Response 

Section 1 022(c)(4)(B)(ii) of the Dodd-Frank Wall Street and Consumer Protection Act (Dodd- 
Frank Act) gives the Consumer Financial Protection Bureau (Bureau) authority to require 
covered persons and service providers to submit reports and written answers regarding their 
participation in the markets for consumer financial products and services. As noted above, the 
Bureau has recently issued orders seeking standard form consumer credit agreements from 
covered persons pursuant to its authority under l022(c)(4)(B)(ii) of the Dodd-Frank Act. The 
information sought by the Bureau does not include personally identifiable financial infomiation. 

CAPiTO/Dlli'FV 30. 

Does the CFPB’s failure to issue a rule expose financial institutions to legal liability under the 
Gramm-Leach-Bliley Act for unlawfully disclosing non-public information? 

Response 

As explained above in response to question 1, the information that the Consumer Financial 
Protection Bureau (Bureau) receives directly from credit reporting agencies and other 
commercially available sources excludes direct or personal identifiers. The Gramm-Leach- 
Bliley Act and its implementing regulation. Regulation P, define “personally identifiable 
financial information” to exclude “information that does not identify a consumer, such as 
aggregate information or blind data that does not contain personal identifiers, such as account 
numbers, names, or addresses.” 12 C.F.R. § 1016.3(q)(2)(ii)(B), 

Where the Bureau receives personally identifiable financial information pursuant to its 
supervisory or enforcement activities or to resolve consumer complaints, these disclosures are 
exempt under the Gramm-Leach-Bliley Act and Regulation P. The Gramm-Leach-Bliley Act 
and Regulation P do not restrict financial institutions from disclosing personally identifiable 
financial information about consumers to “government regulatory authorities having jurisdiction 
for examination, compliance, or other purposes as authorized by law.” 1 5 U.S.C. 6802(e)(8) and 
12 C.F.R. § 1016.15(a)(7)(iii). 

CAmO/Dl!FKY3L 

May a financial institution refuse to provide the CFPB with information on this ground or any 
other legal ground? Under what circumstances may a financial institution refuse to provide 
requested information to the CFPB? Would refusing to do so violate the CFPB’s recently- 
released bulletin regarding “responsible business conduct” for supervised entities? What action 
would the CFPB take in such a case? 
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Response 

As explained in response to question 30, restrictions in the Gramm-Leach Bliley Act and its 
implementing regulations would not be an appropriate reason for declining to provide 
information to the Consumer Financial Protection Bureau (Bureau) as required under the Dodd- 
Frank Wall Street Reform and Consumer Protection Act. 

The Bureau’s bulletin regarding responsible conduct describes various forms of conduct that the 
Bureau will view favorably in assessing a company’s violation of law. Like many other law 
enforcement agencies, the Bureau believes it is appropriate to take account of the steps a 
company had taken to avoid violating the law and how, once a violation nonetheless occurred, 
the company responded to it. 

Capito/Diiffv 32. 

Isn’t it true that the Dodd-Frank Act prohibits the CFPB from collecting “any personally 
identifiable information about a consumer from the financial records of the covered person or 
service provider,” except when consumers give their permission? If not, on what legal authority 
does the CFPB rely for the collection of this information? 

Response 

The que.stion refers to Section 1022(c)(9) of the Dodd-Frank Wall Street Reform and Consumer 
Protection Act. That provision also allows for the collection of covered information as permitted 
or required under other legal provisions, consistent with the Right to Financial Privacy Act. The 
Right to Financial Privacy Act, as amended when Congress established the Consumer Financial 
Protection Bureau (Bureau), specifically exempts from its restrictions the disclosure of 
information to the Bureau in the course of supervision. 


CAPUo/Durf-y 33. 

Is the CFPB subject to the Privacy Act of 1978? 

Response 

The Consumer Financial Protection Bureau is subject to and complies with the Privacy Act of 
1974. 

Capito/Diiffv 34. 

The CFPB issued a Statement of Records Notice (SORN) on November 1 2, 2012, entitled 
“CFPB.022 - Market and Consumer Research Records.” According to the SORN, the purpose 
of the database is “to enable CFPB to monitor, research, analyze, and report information relevant 
to the functioning of markets for consumer financial products and services.” Is this the database 
the CFPB is using for its data collection and market monitoring efforts? 

Response 

The Consumer Financial Protection Bureau (Bureau) does not maintain a single database of 
consolidated information. The Bureau published the System of Records Notice (SORN) for 
Market and Consumer Research Records (CFPB.022) on November 14, 2012. The SORN set 
out the types of records that could be collected and the potential uses that could be made of those 
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records. The Bureau believes that in publishing SORNs for public comment it is appropriate to 
identify the range of potential data to be collected and potential uses. 

The SORN covers records which are retrieved by direct or personal identifiers. As explained in 
response to question number 1, the data that the Bureau has secured does not contain, and is not 
retrieved by, direct or personal identifiers. Therefore, these data fail outside the scope of the 
SORN and no activities have taken place with respect to the SORN. 


Capito/Duffy 35. 

Why does the CFPB need to use personal identifiers for monitoring and analyzing markets? 

Why not just select random samples of datasets? 

Response 

The Consumer Financial Protection Bureau (Bureau) does not collect direct or personal 
identifiers of consumers for the purposes of monitoring and analyzing markets. 

As explained in response to question 1 , the Bureau's Consumer Credit Panel and National 
Mortgage Database contain a random sample of records drawn from a credit reporting agency, 
none of which contain direct or personal identifiers. For the credit card database, credit card 
issuers provide a full file of accounts to the Bureau’s contractor, stripped of direct or personal 
identifiers, rather than a random sample because this is the same format in which they provide 
data to the same contractor for benchmarking services that they purchase from the contractor 
pursuant to private agreements. This reduces costs and burden for the issuers supplying the data 
as it avoids the need to draw a random sample, to provide data with respect to those accounts on 
an ongoing basis, and to add to the sample each time the data is provided to assure that the 
sample remains representative of all accounts, including newly-originated accounts. 

CAI’ITO/DliFFY 36, 

Ts the CFPB using, or does it intend to use, its database to conduct longitudinal studies about 
consumer behavior? 

Response 

The Consumer Financial Protection Bureau (Bureau) does not maintain a single database of 
consolidated information. The Consumer Credit Panel and National Mortgage Database 
described in response to question 1, in order to capture the period before the financial crisis, 
contain 10 years of history. The credit card database contains over 5 years of history. The 
Bureau intends to update these records on a regular basis. These databases may be used to 
understand trends in the market, including consumers’ behavior in the aggregate, but are not used 
to understand any specific individual’s behavior. 

Capito/Diiffy 37. 

Is the CPFB subject to the E-Government Act of 2002? 

Response 

The Consumer Financial Protection Bureau (Bureau) is subject to Section 208 of the E- 
Govemment Act of 2002, including its requirements related to privacy impact assessments. 
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Although the Bureau is not legally obligated to follow OMB-issued guidance, including the 
guidance promulgated pursuant to Section 208(b), it voluntarily follows OMB privacy-related 
guidance as a best practice and to facilitate cooperation and collaboration with other agencies. 


C.4prro/I)iiFFY3S. 

Why hasn’t the CFPB issued a “Privacy Impact Assessment,” or PIA, for its “Market and 
Consumer Research Records” database? 

Response 

There is no single “Market and Consumer Research Records” database. The Consumer Financial 
Protection Bureau (Bureau) published a System of Records Notice (SORN) for Market and 
Consumer Research Records on November 14, 2012, for public comment. The SORN set out the 
purposes for which certain information could be collected and the potential uses and disclosures 
that could be made of those records. No activities have taken place with respect to that SORN; 
the Bureau published the SORN proactively with the goal of having these privacy requirements 
met and public comment solicited should any relevant data collection necessitating a SORN be 
undertaken. 

In general, the Bureau safeguards privacy by conducting and publishing Privacy Impact 
Assessments (PIAs) whenever we introduce new technologies or modify existing technologies 
that contain or work with personally identifiable information, pursuant to the definition 
established by the Office of Management and Budget in OMB Memorandum 07-16 (M 07-16) 
“Safeguarding Against and Responding to the Breach of Personally Identifiable Information, 

May 22, 2007.” The Bureau has not published a PIA for any market and consumer research 
records because no such change has been introduced. 

C.-\l>ITO/!>liFFY 39. 

Who is responsible for conducting and approving a PIA at the CFPB? Who is the CFPB’s Chief 
Privacy Officer? 

Response 

In accordance with the Consumer Financial Protection Bureau’s (Bureau) regulation on “CFPB 
Disclosure of Records and Information,” the Chief Information Officer (CIO) is responsible for 
ensuring compliance with federal privacy requirements. 12 C.F.R. part 1070 (2013). The CIO 
has delegated this authority to the Chief Privacy Officer, Claire Stapleton. 


Capito/Dfffv 40. 

Will the CFPB commit to conducting and publicly releasing a PIA for its “Market and Consumer 
Research Records” database? If so, by what date? If not, why not? 

Response 

Please see response to question 38. 
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Capito/Duffv41. 

Has the CFPB calculated the total cost, to date, of its data collection efforts, including, but not 
limited to, costs incurred in the acquisition, storage, protection and analysis of data? 

Response 

The cost to date of the Consumer Financial Protection Bureau’s (Bureau) contracts to obtain data 
is: FY 2013 - $6,061,900; FY 2012 - $7,129,460. Both fiscal years include contracts with 
commercial and government vendors. 

We are unable to break out the costs of storing and protecting this specific data. Our managed 
service contract for our technology environment includes costs for hardware, software, labor, 
facilities, and computing power. These costs are shared across a number of Bureau technology 
needs, making it very difficult to ascertain the costs for discrete components, e.g. specific data, 
within that environment. 


Capito/Duffy 42. 

lias the CFPB ascertained the costs incurred by supervised institutions in complying with its data 
requests? Has it asked these institutions for an accounting of the costs each incurs? If so, what 
are the costs? 

Response 

The Consumer Financial Protection Bureau (Bureau), like the federal prudential regulators, must 
obtain certain information from the institutions it supervises. The Bureau conducts examinations 
and requires reports to carry out its functions under Title X of the Dodd-Frank Wall Street 
Reform and Consumer Protection Act to: (i) assess compliance with the requirements of Federal 
consumer financial law, (ii) obtain information about the activities and compliance systems or 
procedures of these persons, and (iii) detect and assess risks to consumers and to markets for 
consumer financial products and services. 12 U.S.C. §§ 5514(b)(1) and 5515(b)(1). The Bureau 
recognizes the importance of minimizing burdens on the institutions it supervises. For that 
reason the Bureau has, for example, worked with institutions that have informed it that particular 
information requests would be difficult and/or expensive to fulfill and modified requests 
accordingly. 


CAPi ro/Di FFt' 43. 

Has the CFPB solicited feedback from any institutions about the cost of these data requests and 
production? Have any financial institutions volunteered or shared feedback with the CFPB that 
information? If so, which ones? 

Response 

Throughout the supervisory process, the Consumer Financial Protection Bureau (Bureau) 
maintains an open dialogue with the institutions it supervises. The Bureau regularly receives 
input on a variety of matters, and, as noted in response to question 42, has received input on the 
difficulty and/or expense of fulfilling an information request. In certain instances, the Bureau 
has been able to modify its information requests to reduce the burden on the supervised 
institutions while still accomplishing the purposes of the examination. Under the Bureau’s 
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disclosure rules, it generally may not reveal confidential supervisory information, which would 
include the identities of institutions and the substance of discussions with them within the 
context of the supervision process. 12 C.F.R. part 1070. 


CAPn'0/f)(jH'Y44. 

How does the CFPB plan to utilize the data it collects in each of the following areas: (i) research 
and analysis, (ii) supervision, (iii) enforcement, and (iv) regulation? 

Response 

The Consumer Financial Protection Bureau (Bureau) has several tools for gathering information, 
including through examinations, civil investigative demands, publicly available sources, 
consumer complaints, and through the Section 1022(c)(4) authority discussed above. 

Data collected using one of these tools may be relevant to both the function for which it was 
collected and another related function. For example, one of the Bureau’s primary functions is to 
collect, investigate, and respond to consumer complaints. Although the Bureau receives 
complaints in the course of performing this function, the complaints, and the data derived from 
them, also support other Bureau functions, including, for example, its consumer education 
function and its supervisory and enforcement functions. Similarly, data the Bureau gathers in 
examining institutions for purposes of detecting risks to consumers and to consumer financial 
markets will also often help the Bureau fulfill Congress’ mandate that it monitor the markets for 
risks to consumers. 

The Bureau utilizes the data it possesses for empirical analyses such as those included in our 
reports on private student loans (which relied on anonymized data provided voluntarily to the 
Bureau by a number of lenders) and payday lending and deposit advance products (which relied 
principally on data collected through supervisory exams). These analyses may include 
descriptive tabulations in addition to more formal econometric modeling, which together, 
support the Bureau’s mission to understand consumer financial markets; to monitor for risks to 
consumers in the offering or provision of consumer financial products or services; and more 
generally, to follow developments in markets for such products or services. These data and 
analyses also support policy development, including rulemaking and any related considerations 
of the benefits, costs, and impact of particular rules. 

The Bureau utilizes data — including data gathered during examinations, consumer complaints, 
and publicly available data— to prioritize its supervisory activities and to examine institutions’ 
compliance with Federal consumer financial law, their compliance programs, and the risks their 
activities pose to consumers. 

The Bureau is directed to enforce Federal consumer financial law for the protection of 
consumers, and is authorized to obtain information where there is reason to believe it may be 
relevant to a violation of that law. The Office of Enforcement uses such information to uncover 
wrongdoing by those who violate Federal consumer financial protection laws, to prevent and 
deter such violations, and to obtain refunds and other relief for consumers who have been 
harmed. Such information, which may include data that contains individual information, is 
obtained and maintained in accordance with all applicable laws and protections. 
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In fifteen enforcement actions resolved since the Bureau’s creation in 201 1, the Bureau has 
levied fines of more than $62 million and has obtained orders requiring more than $445 million 
to be returned to 5.8 million consumers who were harmed by the unlawful practices of credit 
card companies, foreclosure and debt relief scams, and mortgage referral kickback schemes. 

Capito/Dijffv 45. 

How does the CFPB plan to ensure that personally identifiable information (PH) obtained 
through the consumer complaint process is not used contrary to gathering limitations on such 
information under CFPB rulemaking authority? 

Response 

The limitations on the Consumer Financial Protection Bureau’s (Bureau) gathering of personally 
identifiable financial information to which this question refers are contained in Section 
1022(c)(4)(C) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank 
Act), which concerns the Bureau’s authority to obtain records from regulated entities to perform 
its market monitoring and reporting obligations. This provision does not relate to the Bureau’s 
consumer complaint functions. The Dodd-Frank Act expressly requires the Bureau to accept and 
assist in the resolution of consumer complaints. Inherent in such a requirement is authority to 
collect personally identifiable information from consumers who choose to submit complaints to 
enable the Bureau to facilitate the complaint resolution process. The Bureau’s collection of 
personally identifiable information during the consumer complaint process thus does not conflict 
with Section 1022(c)(4)(C) and its limitations in any way. 


C,\PiTO,/DUFFV' 46. 

The CFPB’s Privacy Policy released on December 6, 2012 states “Before we collect PII, we tell 
you what we are collecting, why we are collecting it, and how we are going to use it.” Is the 
CFPB currently living up to its privacy policy? Who is the “you” in this statement and where is 
this information displayed that tells “you” what, why and how Pll is used? 

Response 

The “you” referred to in the Privacy Policy published by the Consumer Financial Protection 
Bureau (Bureau) on December 6, 2012 is the American consumer. The Bureau is living up to its 
Privacy Policy. In numerous ways, the Bureau notifies individuals of its intentions to collect 
personally identifiable information, of its purposes in doing so, and of its uses of such 
information. For example, the Bureau publishes in the Federal Register Systems of Records 
Notices, as required by the Privacy Act, which contain such notifications with respect to major 
categories of the Bureau’s information collection activities, including its supervisory, law 
enforcement, consumer response, and consumer research activities. The Bureau also provides 
Privacy Act Statements to individual consumers when it collects information from them directly, 
such as when it accepts consumer complaints. Many Bureau media releases and policy 
statements also include di.scussions of the details of its information collection activities. Finally, 
in many instances, the statutes governing the Bureau’s activities provide notice by expressly 
requiring or authorizing the Bureau to collect certain information, such as consumer complaints, 
and to use that information for certain purposes. The Bureau’s comprehensive Privacy Policy 
and Legal Notices, available at http;//www/consumerfinance.gov, provide further information. 


Page 19 of 49 



78 


Capito/D!,:ff'>' 47. 

Would forcing financial institutions to disclose this information cause them to violate their legal 
obligations to protect the privacy of the customers’ persona! information? 

Response 

The Consumer Financial Protection Bureau does not require financial institutions to disclose 
information that would violate their legal obligations to protect the privacy of customers’ 
personal information. For information about the application of the Gramm-Leach-Bliley Act and 
its implementing regulations to the disclosures at issue here, please see the response to question 
30. 

C,Am'0,'l)(!FFV 48. 

Is the amount of data and the frequency of the data collection appropriate for the specific stated 
purpose by CFPB for how the agency intends to use the data? 

Response 

The Consumer Financial Protection Bureau’s (Bureau) responses herein, including responses to 
questions 1 , 3, and 44, describe the Bureau’s usage of data to fulfill its statutory mandates, 
including supervision, enforcement, regulation, research and analysis, and consumer response. 
The Bureau makes every effort to ensure that its data collections are appropriate in frequency 
and amount to the regulatory functions for which they are to be used. For example, the 
Consumer Credit Panel and the National Mortgage Databases are updated quarterly. This 
reduces the cost compared to a monthly update and still provides information in a timely fashion. 
With respect to the credit card database, the credit card issuers who are clients of Argus already 
provide information to Argus on a monthly basis. Thus, the credit card database is updated 
monthly. This assures that as supervisory examinations are planned and conducted, the Bureau 
is operating on the most current data. 

CAI'tTO/niiFFV 49, 

Is it possible for the CFPB, or any third party vendor working on behalf of the CFPB, to reverse 
engineer raw data to identify individual consumers? 

Response 

The Consumer Financial Protection Bureau (Bureau) is sensitive to the concept and risks of re- 
identification generally and has been careful to minimize that risk by using de-identified data to 
perform its market-monitoring function and by keeping each data collection for market 
monitoring separate from other such collections. The Bureau purposefully reduces the likelihood 
of data being re-identified by restricting access to data to those whose work requires it, and 
providing privacy and security training to Bureau personnel on how to handle and protect data 
appropriately. Neither the Bureau nor its contractors (who are subject to the same security 
requirements as Bureau employees) attempt to re-identify data that is or has been rendered de- 
identified. 
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Capi ro/Duf FV 50. 

Has the CFPB set a time period for retaining this data, and will the individual consumer financial 
infoimation be purged from all federal records after this retention period? 

Response 

The Consumer Financial Protection Bureau (Bureau) will manage all computer and paper files as 
permanent records until the disposition schedule for these records is approved by the National 
Archives and Records Administration, at which time, the Bureau will dispose of such files in 
accordance with the schedule. 

Cafito/Di.tfy 51 . 

Has the CFPB suffered any breaches of data, and has any data breach reached consumer 
information? 

Response 

To date, the Consumer Financial Protection Bureau (Bureau) has been notified of and responded 
to a total of 3 incidents that were deemed to be breaches, which is defined as involving the 
breach, loss, or compromise of personally identifiable information (PIl). Each incident involved 
the Pll of one consumer, and each consumer was notified of the incident(s) and provided credit 
monitoring services/subscriptions for one year. The breaches impacted consumers who had 
submitted complaints through the Bureau’s consumer response system. In each case, the breach 
resulted from a Bureau employee error. The employees received additional training, the 
consumer response system was updated to allow only one complaint to be accessed at a time to 
reduce the chance of human error when attaching documentation, and additional supervisor 
checks have been established, 

CAPITO/Dl.iFFV52. 

Are data sets gathered from the CFPB’s market research function merged with data sets from its 
consumer complaint database? Or are there walls in between this data? 

Response 

The data sets gathered for market research are not merged with consumer complaint data sets. 

Regarding the CFPB’s SORN entitled “CFPB.022 - Market and Consumer Records,” 
please answer the following questions fully : 

Capito/Duffv .53. 

What data is being collected, used, disseminated, or maintained in the system? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.O?? - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau, nor a single Market and Consumer 
Records database. 
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The Market and Consumer Research Records SORN set out the types of records that could be 
collected and the potential uses that could be made of those records. The Bureau believes that in 
publishing SORNs for public comment it is appropriate to identify the range of potential data to 
be collected and potential uses. As documented in the SORN, the records may include: 

(1) contact information (e.g., names, phone numbers, email addresses, physical addresses, and 
governmcntal-issued identification numbers); (2) information collected from consumers as part 
of surveys, randomized controlled trials, or through other mechanisms; (3) consumer financial 
transaction data and other information related to consumers' financial statuses; (4) information 
about the legal relationships between consumers and market participants, such as contracts and 
dispute records; (5) information about commercial relationships between consumers and other 
market participants; and (6) information on consumer characteristics collected by market 
participants or other entities. 

No activities have taken place with respect to this SORN; the Bureau published the SORN 
proactively with the goal of having these privacy requirements met and public comment solicited 
should any relevant data collection necessitating a SORN be undertaken. 


C.4Prro/DiiFFY 54. 

Why is the information being collected, used, disseminated, or maintained? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met should any data collection necessitating a SORN be undertaken. 

In general, the reason for information being collected, used, disseminated, or maintained is 
documented in a SORN. In this case, as documented in the SORN, were data to be collected, it 
would be collected for purposes of monitoring, researching, analyzing, and reporting information 
relevant to the functioning of markets for consumer financial products and services. 

C.yprro/Di.'FFY 55. 

What are the sources of information in the system? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to this SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

Potential sources of information are documented in the SORN for Market and Consumer 
Research Records, which was published on November 14, 2012. The SORN set out the types of 
potential sources of information that could be accessed and the potential uses that could be made 
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of records drawn from those sources. The Bureau believes that in publishing SORNs for public 
comment it is appropriate to identify the range of potential data to be collected and potential 
uses. 

CAPiTO/BUFFY 56. 

What technologies are being used to collect the data? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, the Bureau primarily receives data through secure File Transfer Protocol (sFTP) and 
physical media transfers. Secure File Transfer Protocol is a standard protocol that enables the 
secure transferring of files from one entity to another. When in-taking data by physical media, 
the dataset is uploaded into a secure environment and the physical media is delivered to the 
Records team for retention. 

C.-\i>tTO/0(;i'FV 57. 

How is the information collected? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s SORN 
entitled “CFPB.022 - Market and Consumer Research Records.” There is no single system of 
consolidated data maintained by the Bureau. No activities have taken place with respect to that 
SORN; the Bureau published the SORN proactively with the goal of having these privacy 
requirements met and public comment solicited should any relevant data collection neces.sitating 
a SORN be undertaken. 


C.A,PiTO/DliFF\ 58. 

What legal authority and/or agreements allow the information to be collected? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

A number of provisions in the Dodd-Frank Wall Street Reform and Consumer Protection Act, 
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among them 12 U.S.C. § 5512(c), 12 U.S.C. § 5514(b), 12 U.S.C. § 5515(b), 12 U.S.C. § 5534, 
and 12 U.S.C. § 5562, authorize the Consumer Financial Protection Bureau to request 
information. 

C,.\.prro/l)UFFV 59. 

What information is retained? How long and for what reason is it retained? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, the Bureau will manage all computer and paper files as permanent records until the 
disposition schedule for these records is approved by the National Archives and Records 
Administration, at which time, the Bureau will dispose of such files in accordance with the 
schedule. 


CAmo/l.)Ul'FY60. 

Is there a records retention schedule that has been approved by the National Archives and 
Records Administration (NARA) for the information system? If so, what is the name of the 
records retention schedule? If not, why not? If a records retention scheduled has been drafted but 
not yet approved by the NARA, please provide a copy of the draft schedule. 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records,” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

The Bureau is currently drafting a retention schedule for the data that may be collected with 
respect to the SORN for Market and Consumer Research Records. 


C.tPITO/DliFFVhl. 

Are there any forms or surveys that are associated with the collection of the information that 
would be covered by the Paperwork Reduction Act? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB,022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
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privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 


C.APrro/DiJFFY 62 . 

Are there any privacy risks for this system that relate to the purpose of the collection? If so, how 
will the CFPB mitigate these risks? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

The general privacy risks associated with all collections of personally identifiable information is 
that individuals do not understand how information about them is being used, and that the PlI is 
inappropriately used or disclosed. The Bureau takes care to provide individual with notice of the 
authority under which it is collecting information, and maintains such information in a manner 
consistent with the Privacy Act of 1974, 5 U.S.C. § 552a, the Federal Information Security 
Management Act of 2002, 44 U.S.C. § 354 1 et seq., and other applicable Federal laws and 
regulations. The Bureau further mitigates privacy risks by relying on pulling samples or 
conducting surveys of population segments; by limiting access to information to personnel with a 
business need for that access; by providing its personnel with privacy and security training as 
well as job training to ensure the appropriate use and protection of information; and by reducing 
the risk of misuse of the data by removing direct or personal identifiers, masking, or aggregating 
the data as appropriate to the use. 


CAiT'ro/l)i;FFy 63. 

Are individuals given notice prior to the collection of personal information about them? If not, 
why not? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, where the Bureau collects personal information from individuals directly, the Bureau 
provides individuals with actual notice through a Privacy Act Statement. When the Bureau 
collects information about individuals indirectly, including when it obtains such infonnation 
from other agencies, financial institutions, or other third parties, the Bureau provides individuals 
to whom the information pertains with notice of its collection activities by publishing a SORN in 
the Federal Register. In addition to these Privacy Act notices, in general, the Bureau also 
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provides notice of its information collection activities through media such as press releases, 
policy statements, and web postings. 


CAPITO/Dt.ifF Y 64 . 

Are individuals given notice prior to their information being shared with any entity outside of the 
CFPB? If not, why not? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

When the Bureau collects information about individuals indirectly, including when it obtains 
such information from other agencies, financial institutions, or other third parties, the Bureau 
provides individuals to whom the infomiation pertains with notice of its collection activities by 
publishing a SORN in the Federal Register. 


CAITrO/DtifFVfis. 

Do individuals have the opportunity and right to decline to provide infonnation? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, where the Bureau collects personal information from individuals directly, the Bureau 
provides individuals with actual notice through a Privacy Act Statement that informs such 
individuals as to whether their provision of information to the Bureau is mandatory or voluntary 
and, if mandatory, what the consequences to them are, if any, of their refusals to provide the 
information to the Bureau. When the Bureau collects information about individuals indirectly, 
including when it obtains such information from other agencies, financial institutions, or other 
third parties, the Bureau provides individuals to whom the information pertains with notice of its 
collection activities by publishing a SORN in the Federal Register. In these instances of indirect 
collection, the Bureau does not generally provide individuals with an opportunity to refuse to 
provide the information to the Bureau. 
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Capito/Duffv 66. 

Do individuals have the right to consent to particular uses of the information? If so, how does the 
individual exercise the right? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, when the Bureau collects personal information directly from individuals, the 
individuals would be notified regarding applicable opportunities and rights to consent to 
particular uses of their information to the extent provided under the Privacy Act. They may have 
the right to decline to provide information or withhold consent at the time the information is 
collected. 

CAWTO/OurifV 67. 

Whose information is included in the system? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records” (CFPB.022). There is no 
single system of consolidated data maintained by the Bureau. No activities have taken place 
with respect to this SORN; the Bureau published the SORN proactively with the goal of having 
these privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 


C.vmo/Dl.if'FV 68. 

What Personally Identifiable Information will the system include? Why is the collection and use 
of Personally Identifiable Information necessary to the project or system? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records” (CFPB.022). There is no 
single system of consolidated data maintained by the Bureau. No activities have taken place 
with respect to that SORN; the Bureau published the SORN proactively with the goal of having 
these privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

C.4PlT0/l)l:FFy 69. 

Will the system aggregate previously unavailable data about the individual to create new data 
about the individual? If so, how will this data be maintained and used? 
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Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to this SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 


C.-tPITO/OUFFV 70. 

What controls exist to protect the consolidated data and prevent unauthorized access? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN ; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

The Bureau practice is to categorize all of its systems using Federal Information Processing 
Standard Publication 1 99, Standards for Security Categorization of Federal Information and 
Information Systems (FIPS 199). Based on this categorization, the Bureau implements security 
controls from National Institute of Standards and Technology Special Publication 800-53, 
Recommended Security Controls for Federal Information Systems and Organizations, to secure 
its data. Any additional Bureau policies, processes, and procedures, including those related to 
access, are based on these standard federally-practiced controls, industry best practices, as well 
as other guidelines and mandates issued for government agencies. 

CAPITO/DUFFy 71. 

Will the system monitor the public? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

With respect to information collected by the Bureau, please see response to questions 1 and 1 7. 
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CAPiTO/DL'FFV 72. 

What kinds of reports can be produced on individuals? Will the data included in the reports 
produced be anonymized? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 ~ Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

The Bureau does not publish reports of data that are directly identifiable to any particular 
consumer or that it has reason to believe are likely to identify any particular consumer 
indirectly. 

C.APITO/Dl.TrV 73, 

How will the information in this system be used? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

With respect to information collected by the Bureau and its use, please see response to questions 
1 and 17, 

CAPn'O/DUFFV 74. 

Is the information in the project limited to only the information that is needed to carry out the 
purpose of the collection? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB,022 - Market and Consumer Research Records,” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, the Bureau collects information to carry out its statutory mandates with emphasis on 
promoting efficiency and minimizing burdens on those involved in the collection. 
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C:aPITO/DliFF\' 75. 

What types of tools are used to analyze data and what type of data may be produced? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, the Bureau uses standard statistical querying tools such as SAS, Stata, Matlab and 
Gauss to analyze data. Using these tools, the Bureau is able to produce descriptive analyses and 
more complex econometric models 

Capito/Dfffv 76, 

If the system uses commercial or publicly available data, how and why is this data used? 
Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled ‘‘CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

With respect to commercial or publicly available data collected by the Bureau, please see 
responses to questions 1 and 17. 

Capito/Duffy 77. 

With which internal organizations is information shared? What information is shared, and for 
what purpose? How is this information transmitted or disclosed? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled ‘‘CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 
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Capito/Dli-tyTS. 

With which external organizations, including federal, state, local, or foreign agencies, or private 
sector organizations, is information shared? What information is shared, and for what purpose? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 ^ Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 


CAI>iTO/l)liFFY 79. 

Is the sharing of information outside the CFPB compatible with the original collection? What 
legal mechanisms, authoritative agreements, documentation, or policies are in place detailing the 
extent of the sharing and duties of each party? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

The SORN covering Market and Consumer Research states that the Bureau may share externally 
certain information as authorized by law. 

CAPITO/DI.'FFV 80, 

Under what legal mechanism is the system allowed to share the information in identifiable form 
or personally identifiable information outside of the CFPB? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited .should any relevant data collection 
necessitating a SORN be undertaken. 

The Privacy Act of 1974 generally prohibits the disclosure of a record contained in a system of 
records, except as provided for in the Privacy Act or pursuant to a routine use described in a 
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SORN. The Market and Consumer Research Records SORN set out the types of records that 
could be collected and the potential use and disclosures that could be made of those records. In 
addition, the Dodd-Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. 

§551 2(c)(6), directs the Bureau to “prescribe rules regarding the confidential treatment of 
information obtained from persons in connection with the exercise of its authorities under 
Federal consumer financial law,” and to, in certain circumstances, provide access to other 
agencies to confidential supervisory information. To these ends, the Bureau promulgated 
regulations, at 12 C.F.R. part 1070, that set forth its rules regarding the appropriate treatment of 
confidential information. These rules, in limited circumstances, authorize the sharing of 
confidential information. 

C.VFlTO/DljFFYSl. 

How is the data transmitted or disclosed to these entities? What security measures safeguard its 
transmission? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

Capito/Dufky 82 

How is the data secured by external recipients? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 


CAPITO/Dcm' 83. 

Will the database interact with other systems, whether within the CFPB or outside the CFPB? If 
so, which databases and how? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 
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CAPlT(>/DljFF\' 84. 

How is the information collected by the database verified for accuracy and completeness? 
Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records” {CFPB.022).” There is 
no single system of consolidated data maintained by the Bureau. No activities have taken place 
with respect to that SORN; the Bureau published the SORN proactively with the goal of having 
these privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

C.4i'lTO/l)lJFFY 85. 

Who has access to data in this project? How many total individuals have been authorized by the 
CFPB to access the data? What is the authorization process for access to the project? Has every 
individual with access to the CFPB’s database been subjected to “ and passed - a full 
background investigation? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records” (CFPB.022).” There is 
no single system of consolidated data maintained by the Bureau. No activities have taken place 
with respect to that SORN. The SORN was proactively published; the Bureau published the 
SORN proactively with the goal of having these privacy requirements met and public comment 
solicited should any relevant data collection necessitating a SORN be undertaken. 

C.APITO/01IFFY 86. 

Do CFPB contractors and/or agents have access to the system? If so, what controls exist to 
ensure appropriate access and what Privacy Act clauses have been inserted in their contracts? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to this SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, contractors (including contractor employees and subcontractors) may have access to 
specific databases, with access limited by several control points provided by the general 
Cybersecurity and IT Security clauses included in Bureau contracts. These clauses operate to 
ensure adequate contractor IT processes and contract employee IT security awareness training; 
contractor compliance with relevant Federal laws, including but not limited to the Federal 
Information Security Management Act of 2002 (FiSMA); Bureau oversight of contractor 
cybersecurity and pre-screening of contractor personnel; and signed contractor nondisclosure 
agreements (NDAs), as appropriate. 
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Capito/Ouffv 87. 

How many contractors and agents cuirently have access to the database? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, access to Bureau data is controlled and access logs to Bureau systems are kept and 
maintained in accordance with Bureau policy based on National Institute of Standards and 
Technology Special Publication 800-53 Recommended Security Controls for Federal 
Information Systems and Organizations (NIST SP 800-53) guidelines. 

CAPITO/DUFFy 88. 

How is access to the data by a user determined? Are procedures documented? Are access logs 
kept? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB,022 - Market and Consumer Research Records” (CFPB.022). There is no 
single system of consolidated data maintained by the Bureau, No activities have taken place 
with respect to that SORN; the Bureau published the SORN proactively with the goal of having 
these privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, Bureau Technology stafl' follow a process that generates an approved privileged user 
access list following an articulated justification as to why access is required for any given 
database. Access to Bureau data is controlled and access logs to Bureau systems are kept and 
maintained in accordance with Bureau policy based on National Institute of Standards and 
Technology Special Publication 800-53 Recommended Security Controls for Federal 
Information Systems and Organizations (NIST SP 800-53) guidelines. 


CAPlTO/BUFf V 89. 

Has the CFPB completed a system security plan for the information system supporting this 
project? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 


Page 34 of 49 



CAPITO/DUFF'i' 90, 

How is the system secured? 


93 


Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau, No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, the Bureau categorizes its systems using Federal Information Processing Standard 
Publication 199, Standards for Security Categorization of Federal Information and Information 
Systems (FIPS 199). Based on this categorization, CFPB then utilizes recommended security 
controls from National Institute of Standards and Technology Special Publication 800-53 
Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 
800-53) to secure its systems and data. Bureau policies, processes, and procedures, including 
those related to access are based on these controls as well as other federally-mandated guidelines 
and standards. 

C.VPI'rO/Dlifl- Y 91. 

Are there any mechanisms in place to identify security breaches? If so, what are they? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, the Consumer Financial Protection Bureau has multiple security controls in place to 
identify security breaches of CFPB databases and Systems of Record. These controls are derived 
from National Institute of Standards and Technology Special Publication 800-53 Recommended 
Security Controls for Federal Information Systems and Organizations (NIST SP 800-53) 
guidance and include audit log monitoring, analysis, and reporting. A “defense in depth” 
approach is used that includes monitoring at various levels of the system from application, 
operating system, database to network firewalls and intrusion detection systems (IDS). 


Capito/Dfffy 92. 

What auditing measures/controls and technical safeguards are in place to prevent misuse (e.g., 
unauthorized browsing) of the data? 
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Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s SORN 
entitled “CFPB.022 - Market and Consumer Research Records.” There is no single system of 
consolidated data maintained by the Bureau. No activities have taken place with respect to that 
SORN; the Bureau published the SORN proactively with the goal of having these privacy 
requirements met and public comment solicited should any relevant data collection necessitating 
a SORN be undertaken. 

In general, the Bureau’s controls are derived from National Institute of Standards and 
Technology Special Publication 800-53 Recommended Security Controls for Federal 
Information Systems and Organizations (NIST SP 800-53) guidance. Access to data and system 
resources is limited; technical controls and other safeguards are implemented and monitored to 
identify potential misuse. 


C.APrro/DuFFV 93. 

What opportunities are available for individuals to consent to uses, decline to provide 
information, or opt out of the project? IF no opportunities are available to consent, decline or opt 
out, why not? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

In general, where the Bureau collects information directly from individuals under the Privacy 
Act, it provides them with Privacy Act Statements that inform such individuals as to whether 
their provision of information to the Bureau is mandatory or voluntary and, if mandatory, what 
the consequences to them are, if any, of their refusals to provide the information. 

Capito/Ddffv 94. 

What procedures will allow individuals to access their information? 

Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau, No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met and public comment solicited should any relevant data collection 
necessitating a SORN be undertaken. 

in general, where the Bureau collects information that is retrieved by a direct or personal 
identifier and maintained in a SORN under the Privacy Act, individuals may request access to, 
amend, and correct records that pertain to them by submitting a request in writing in accordance 
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with instructions appearing in Title 12 part 1070 of the Code of Federal Regulations, “Disclosure 
of Records and Information.” 


Capito/Diiffy 95. 

Can individuals amend information about themselves in the system? If so, how? If not, why not? 
Response 

Please see the response to question 94. 

Capito/Diiffy 96. 

What are the procedures for correcting inaccurate or erroneous information? 

Response 

Please see the response to question 94. 


CAPrro/Oiii'FV 97. 

How are individuals notified of the procedures for correcting their information? 

Response 

Please see the response to question 94. 

C.4Prro/l)u(-i'v 98. 

What privacy training is provided to users, either generally or specifically relevant to the project? 
Response 

As requested, this response pertains to the Consumer Financial Protection Bureau’s (Bureau) 
SORN entitled “CFPB.022 - Market and Consumer Research Records.” There is no single 
system of consolidated data maintained by the Bureau. No activities have taken place with 
respect to that SORN; the Bureau published the SORN proactively with the goal of having these 
privacy requirements met should any data collection necessitating a SORN be undertaken. 

In general, the Bureau provides privacy and security training to all employees of the Bureau, 
including contractors who handle personally identifiable information on behalf of the Bureau, in 
accordance with 0MB M-07-16, Safeguarding Against and Responding to the Breach of 
Personally Identifiable Information, May 22, 2007, available at 
http://www.whitehouse.gOv/sites/default/files/omb/memoranda/fy2007/m07-16.pdf 
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QUESTIONS FROM REP. BLAINE LUETKE.MEYER 


Ei:etkemeyer J. 

According to recent reports, the CFPB has entered into more than $15 million worth of contracts 
with credit reporting agencies, consultants and data analysis companies for the collection and 
analysis of consumer data. What is the justification for spending this amount of money and 
obtaining this type of data? 

Response 

In carrying out its congressionally-mandated supervisory, enforcement, and regulatory functions, 
the Consumer Financial Protection Bureau (Bureau) relies on rigorous empirical analyses - 
grounded in data ~ to understand how the markets for consumer financial products and services 
actually work. Data analysis is also fundamental to fulfilling the Bureau’s mandate to protect 
consumers. Analysis of data, as the law creating the Bureau contemplated, enables the Bureau 
not only to better protect and educate consumers, but also to coordinate with other regulators and 
craft tailored rules based on careful examination of costs and benefits. The Bureau’s evaluation 
of this data also allows it to provide meaningful reports, as required by Congress, and to perfonn 
its consumer response function. 

Li'etkemeyer 2. 

While the CFPB claims to be data driven, two of its recent studies on payday loans and overdraft 
products had several pages of compelling data yet drew several conclusions that were not 
supported by the data in either report. Furthermore, the studies did not examine any alternatives 
to these products. Why did the CFPB spend time studying these products only to draw 
unsupported conclusions? Given the burden to business and cost to the taxpayers that are 
associated with the CFPB’s current data collection efforts, how will the CFPB ensure that future 
reports are empirically based, rather than drawing unsupported conclusions? 

Response 

The Consumer Financial Protection Bureau’s white papers on payday loans and deposit advance 
and overdraft programs are based on analytically rigorous and objective analysis of a robust 
dataset. Both studies draw conclusions that are supported by the data. In each case, the study 
contained a concluding section which discusses some of the potential policy implications of the 
empirical findings and identifies areas for future study. 

LIJETKE.MEYER3. 

If detailed consumer information the CFPB receives is “de-identified”, how does the agency 
ensure that the information is not “re-identified”? 

Response 

The Consumer Financial Protection Bureau (Bureau) is sensitive to the concept and risks of re- 
identification generally and has been careful to minimize that risk by purchasing data without 
direct or personal identifiers and by securing its credit card database account-level data without 
direct or personal identifier. The data the Bureau has obtained for its market-monitoring 
activities is maintained in discrete databases and the Bureau does not have any common 
identifiers that would allow data to be linked across databases. Bureau personnel are required to 
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complete privacy training on an annual basis, which includes how to use and protect personal 
information appropriately. To the extent the Bureau publishes studies analyzing consumer 
financial markets, it has presented the information in an aggregate form that cannot be used to 
identify, either directly or indirectly, any particular individual. 

LUETKEMEVKRf. 

The Right to Financial Privacy Act (RFPA) and Dodd-Frank require federal agencies to provide 
notice to consumers before obtaining information about the consumers from a “financial 
institution.” Dodd-Frank also provides that CFPB may not obtain personalty-identifiable 
information without first obtaining written permission from the consumer. Specifically, how has 
the CFPB complied with these regulations? Has the CFPB obtained written permission before 
obtaining this information from credit bureaus? 

Response 

The Consumer Financial Protection Bureau (Bureau) complies with Right to Financial Privacy 
Act (RFPA) and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank 
Act), which contain exceptions to their generally applicable notice provisions for the Bureau and 
other federal agencies in certain circumstances. Various exceptions to the RFPA, as amended, 
authorize the Bureau to obtain information from financial institutions about their customers 
without first providing notice to and obtaining the consent of such customers. Additionally, the 
restrictions set forth in the RFPA apply only to information that is identifiable to particular 
customers of financial institutions. Where the Bureau seeks information from financial 
institutions that excludes direct or personal identifiers, the restrictions of the statute do not apply. 

LUETKEMEYER 5. 

Has the Bureau complied with provisions of the Privacy Act such as obtaining public comment 
about the proposed creation of a “system of records”? If not, why not? 

Response 

When required by the Privacy Act, the Consumer Financial Protection Bureau (Bureau) 
publishes System of Records Notices in the Federal Register for public comment. Also as 
required by the Privacy Act, the Bureau forwards copies of SORNs to the House of 
Representatives Committee on Oversight and Government Reform, the Senate Committee on 
Homeland Security and Governmental Affairs, and the Office of Management and Budget. 


LliETKE.MEVER6. 

What steps has the Bureau taken to ensure the security and confidentiality of the information in 
the loan level database? Where will the information be maintained and by whom? 

Response 

The Consumer Financial Protection Bureau (Bureau) does not maintain a single loan-level 
database. At present, we have acquired commercially-available mortgage datasets, the credit 
panel from a credit reporting agency, and are developing the National Mortgage Database. In 
addition, we have various datasets collected under the Bureau’s supervisory or enforcement 
authority. 
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The Bureau categorizes all of its datasets using Federal Information Processing Standard 
Publication 199, Standards for Security Categorization of Federal Information and Information 
Systems (FIPS 199). Based on this categorization, the Bureau implements security controls from 
National Institute of Standards and Technology Special Publication 800-53 Recommended 
Security Controls for Federal Information Systems and Organizations to secure its data. Any 
subsequent Bureau policies, processes, and procedures, including those related to access, are 
based on these standard federally-practiced controls, industry best practices, as well as other 
guidelines and mandates issued for government agencies. 

Luetkemeyer 7. 

The Office of Inspector General for the Federal Reserve System recently reported that the CFPB 
needed to strengthen its security controls around its consumer response system. Given these data 
security concerns about the CFPB’s existing data collection efforts, how does the system that 
holds all the consumer data differ in terms of data security? 

Response 

The Consumer Financial Protection Bureau (Bureau) appreciates the efforts of the Office of 
Inspector General (OIG) directed at improving Bureau’s operations, and is pleased that the 
OIG’s review of the Bureau’s information security procedures did not identify any reportable 
conditions in the design or implementation of the relevant controls. Based on the Federal 
Information Processing Standard Publication 199, Standards for Security Categorization of 
Federal Information and Information Systems (FIPS 199), the consumer response system and 
other systems hosting data have been categorized as moderate and therefore utilize the associated 
recommended security controls from National Institute of Standards and Technology (NIST) 
Special Publication 800-53 Recommended Security Controls for Federal Information Systems 
and Organizations (NIST SP 800-53) to secure its systems and data appropriately. The OIO’s 
report noted measures taken by the Bureau to secure data within the system, and the 
configuration and change control processes that are based on the guidance provided by NIST. 

The Bureau’s Cybersecurity Program has been dedicated to continuous improvement, including 
implementing recommendations from OIG. At the time of the OIG report’s publication, the 
Bureau had already had begun to take action on its recommendations and to finalize integral 
policies and procedures that address many of the issues discussed in the report. 

LliETKE.MEVERS. 

Consumer financial services providers have strict requirements for notifying consumers of when 
their personal information may have been subject to a data breach. What procedures are in place 
for the CFPB to notify consumers and businesses subject to its latest collection efforts in the 
event of a security breach? Will the CFPB plan to offer any kind of redress to financial services 
market participants who lose proprietary information, and therefore suffer market losses as a 
result from a breach in data security? 

Response 

The Consumer Financial Protection Bureau (Bureau) continues to rely, in part, on elements of 
Treasury’s network and related IT infrastructure, including Treasury’s directives that relate to 
security and privacy incidents. In anticipation of the Bureau’s move to its own network 
infrastructure, the Bureau has developed new directives related to security and privacy incidents, 
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which it will issue upon network independence. In the interim, the Bureau has developed 
supplemental incident-reporting materials for managing the breach, loss, or compromise of 
personally identifiable infonnation (PlI). These materials, in conjunction with processes 
outlined in Treasury’s privacy and security incident directives, help the Bureau meet the 
requirements around the suspected or confirmed breach, loss, or compromise of PlI outlined in 
OMB-issued guidance (i.e. 0MB M-07-16, Safeguarding Against and Responding to the Breach 
of Personally Identifiable Information, May 22, 2007). As part of its supplemental interim 
procedures, the Bureau would assess the risk significance (or analyze the risk of harm) posed by 
a breach, loss, or compromise of PlI to determine if notification, outreach, or additional 
mitigation is warranted or necessary. This would include alerting impacted individual 
consumers when their PII is confirmed breached. When deemed necessary (i.e. risk of harm is 
deemed high), additional mitigation steps might include, for example, offering impacted 
individuals credit monitoring subscriptions/services. 

LI’ETKEMEYER <>. 

Dodd-Frank authorizes the Bureau to collect data that is “necessary” for it to fulfill its statutory 
duties. Why is it “necessary” to collect the volume of information that the Bureau plans to 
compile? Why would not data sampling suffice? 

Response 

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) contains a 
number of separate grants of authority to the Consumer Financial Protection Bureau (Bureau) to 
collect information, as well as a general authority to enter into contracts to purchase goods and 
services, including data. Under section 1 022(c)(4)(B)(ii) of the Dodd-Frank Act, the Bureau can 
require covered persons or service providers to provide reports or answers to questions by rule or 
order as “necessary for the Bureau to fulfill the monitoring, assessment and reporting 
responsibilities imposed by Congress” including the responsibility to “monitor risks to 
consumers in the offering or provision of consumer financial products or services” and 
“developments in markets for such products or services.” The Bureau has used this and other 
information collection authorities in an appropriate fashion. For example, the Bureau’s recently- 
issued orders requiring certain covered persons to provide standard form consumer credit 
agreements will assist it in completing the study mandated by section 1 028(a) of the Dodd-Frank 
Act. 

The Bureau’s responses herein, including specifically the response to Capito/Duffy question 1 
and 44 above, describe the Bureau’s usage of data to fulfill its statutory mandates, including in 
areas such as supervision, enforcement, regulation, research and analysis, and consumer 
response. The Bureau makes every effort to ensure that its data collections are appropriate in 
size, frequency, and number to the regulatory functions for which they are to be used. 

The Bureau recognizes the importance of minimizing burdens on the institutions it supervises. 
The Bureau has collected random samples of data for its consumer credit panel and the Bureau, 
in collaboration with the Federal Housing Finance Agency is using sampling for the national 
mortgage database. In certain instances, the Bureau has been able to modify its information 
requests and demands to reduce the burden on the institutions while still accomplishing the 
purposes of the examination or enforcement action. For the credit card database, credit card 
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issuers provide a full file of accounts to the Bureau’s contractor rather than a random sample 
because this is the same format in which they provide data to the same contractor for 
benchmarking services that they purchase from the contractor pursuant to private agreements. 
This reduces costs and burden for the issuers supplying the data as it avoids the need to draw a 
random sample, to provide data with respect to those accounts on an ongoing basis, and to add to 
the sample each time the data is provided to assure that the sample remains representative of all 
accounts, including newly-originated accounts. 

Li.’Etkemeyer 10. 

The Paperwork Reduction Act requires the CFPB to obtain a “control number” from OMB for 
any collections of information, and to explain how the information limits the burden for 
businesses and individuals to the minimum necessary. Has the Bureau sought or obtained OMB 
clearance for these collections of information? If not, why not? 

Response 

The Consumer Financial Protection Bureau has sought and obtained OMB clearances consistent 
with the Paperwork Reduction Act. 
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REP. BILL POSEY (FL-S) 

During my committee question time, I referenced a December 21, 2012 letter sent to the CFPB 
containing 1 9 specific questions. Two months later, on February 2 1 , 20 1 3, I received a three 
paragraph letter that did not provide to a single specific response to any of the questions from my 
December letter. 

I therefore ask, once again, for you to answer the following 19 questions: 

Posey 1. 

What is the CFPB’s statutory authority to collect, each month, detailed information on every loan 
in certain financial institutions’ portfolios? 

Response 

Your December 21 , 201 2 letter inquired about a “‘loan level data’ project ... to collect 
information on consumer credit card accounts.” The Bureau, in the exercise of its supervisory 
authority, is obtaining data stripped of direct or personal identifiers with respect to all credit card 
accounts maintained by a number of large card issuers. This data is collected and housed on 
behalf of the Bureau by Argus Information and Advisory Services, a company that is in the 
business of obtaining account-level data for credit cards and other financial services from 
financial services companies. The data being provided to the Bureau are the same type of data 
that credit card issuers regularly provide to Argus, such as the monthly balance, fees charges, 
interest charged, and payments received on accounts. The data the Bureau receives does not 
include transactions, such as purchases. 

A number of provisions in the Dodd-Frank Wall Street Reform and Consumer Protection Act 
(Dodd-Frank Act), among them 12 U.S.C. § 5512(c), 12 U.S.C. § 5514(b), 12 U.S.C. § 5515(b), 
12 U.S.C. § 5534, and 12 U.S.C. § 5562, authorize the Consumer Financial Protection Bureau to 
request information. Sections 1024 through 1026 of the Dodd-Frank Act, 12 U.S.C. §§ 5514- 
5516, authorize and regulate the Bureau’s supervisory activity, including the gathering of the 
information collected and housed by Argus. 

Posey 2. 

What provision of law specifically permits or requires the CFPB to collect loan level data? 
Response 

Please see the response to question 1. 

Posey 3. 

How many institutions have been asked to furnish data to the Bureau for this project? How many 
individual consumers’ records will be included in the database? 

Response 

Your December 21, 2012 letter inquired about a “‘loan level data’ project ... to collect 
information on consumer credit card accounts.” Plea,se see the response to question 1 for a 
description of this activity. Fewer than 10 institutions have been asked to furnish credit card data 
to the Consumer Financial Protection Bureau (Bureau) for purposes of this project. The Bureau 
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is unable to determine the number of individual consumers’ records covered as the records are 
provided on a de-identified basis so that the Bureau cannot link the data in order to determine 
whether multiple records represent multiple individuals or multiple accounts of a single 
individual. 

POSEV 4. 

Dodd-Frank authorizes the Bureau to collect data that is “necessary” for it to fulfill its statutory 
duties. Why is it “necessary” to collect the volume of information that the Bureau plans to 
compile? Why would not data sampling suffice? 

Response 

Your December 21, 2012 letter inquired about a “Moan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. In support of this project, credit card issuers provide a full file of 
accounts to the Bureau’s contractor rather than a random sample because this is the same format 
in which they provide data to the same contractor for benchmarking services that they purchase 
from the contractor pursuant to private agreements. This reduces costs and burden for the issuers 
supplying the data as it avoids the need to draw a random sample, to provide data with respect to 
those accounts on an ongoing basis, and to add to the sample each time the data is provided to 
assure that the sample remains representative of all accounts, including newly-originated 
accounts. 

PO.SEY 5. 

If the data is “necessary” for consumer protection purposes, why is the Bureau obtaining it only 
from a small number of financial institutions? 

Response 

Your December 21, 2012 letter inquired about a “Moan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The Consumer Financial Protection Bureau is collecting credit card 
data as part of its supervision program and not pursuant to Section 1 022(b)(4)(B)(ii) of the 
Dodd-Frank Act. The issuers from whom the data is being collected are the largest credit card 
issuers and thus have particularly significant potential to create risks to consumers. 

PO.SIEY (l. 

How will the Bureau protect consumers of institutions that are not subject to the data collection 
requirement? 

Response 

Your December 21, 2012 letter inquired about a “Moan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The Consumer Financial Protection Bureau (Bureau) uses all of its 
available authorities to protect consumers of financial products and services. The Bureau seeks 
to use its limited resources in the most effective way possible, including choosing carefully the 
institutions on which to focus its supervisory', enforcement, and other efforts. 
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Posey 7. 

The Dodd-Frank provision authorizing the Bureau to obtain information for supervisory 
purposes refers to the “periodic” collection of information. How does an ongoing and perpetual 
collection of information meet the “periodic” standard? 

Response 

Your December 21, 2012 letter inquired about a ‘“loan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The Consumer Financial Protection Bureau (Bureau) is authorized to 
gather information from institutions it supervises in order to assess compliance with the 
requirements of Federal consumer financial law, obtain information about the institutions’ 
activities and compliance systems or procedures, and detect and assess risk to consumers and to 
consumer financial markets. Like other financial regulators, the Bureau receives, from certain 
institutions, loan-level data on a periodic basis relating to certain types of products. The Bureau 
is not receiving a real-time stream of continuous information about these products. 

Posey 8. 

What are the specific purposes of collecting extensive personally-identifiable financial 
information about virtually everyone with a home mortgage or credit card? Why could such 
purpose(s) not be achieved by collecting a narrower set of data, or by the use of sampling? 

Response 

Your December 21, 2012 letter inquired about a ‘“loan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The Consumer Financial Protection Bureau (Bureau) does not collect 
personally identifiable financial information about virtually everyone with a home mortgage or 
with a credit card. The national mortgage database which the Bureau and the Federal Housing 
Finance Agency (FHFA) are jointly creating contains a random sample of de-identifled records 
of consumers with home mortgages drawn from the national credit reporting agency with whom 
the FHFA has contracted. Likewise, the Consumer Credit Panel is based on a small 
representative sample of the US population (approximately 2 to 4%) and contains only dc- 
identified records. The credit card database contains records of all accounts from the issuers 
supplying this data for the reasons explained in response to question 4. The information in these 
databases is stripped of direct or personal identifiers. 


Posey 9. 

What steps has the Bureau taken to ensure the security and confidentiality of the information in 
the loan level database? Where will the information be maintained and by whom? When and 
how will such information be destroyed after use? 

Response 

Your December 21, 2012 letter inquired about a “‘loan level data’ project ... to collect 
infomiation on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. Loan-level credit card data is being maintained for the Bureau by 
Argus Information & Advisory Services which performs this same service for many credit card 
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issuers. Please see the sections relating to security and confidentiality in the contract with Argus 
Information & Advisory Services produced in response to Capito/Duffy question 6. 

The Bureau will manage all files in the system as permanent records until the disposition 
schedule for these records is approved by the National Archives and Records Administration, at 
which time, the Bureau will dispose of such files in accordance with the schedule. 

POSEV 10. 

Has the Bureau informed the financial institutions whose infonnation is being collected of such 
security and confidentiality measures? If not, how can financial institutions who furnish 
information to the Bureau comply with their GLBA obligation to maintain the security of 
personally identifiable customer information? 

Response 

Your December 21, 2012 letter inquired about a ‘“loan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The information that the Consumer Financial Protection Bureau 
receives about consumers for the purposes of this project comes directly from financial 
institutions, and all of this information excludes direct or personal identifiers. The Gramm- 
Leach-Bliley Act and its implementing regulation. Regulation P, define “personally identifiable 
financial information” to exclude “information that does not identify a consumer, such as 
aggregate information or blind data that does not contain direct or personal identifiers, such as 
account numbers, names, or addresses.” 12C.F.R. Section 1016.3(q)(2)(ii)(B). 

Even assuming that the financial institutions were disclosing personally identifiable financial 
information for this project, these disclosures would be exempt under the Gramm-Leach-Bliley 
Act and Regulation P. The Gramm-Leach-Bliley Act and Regulation P do not restrict financial 
institutions from disclosing personally identifiable financial information about consumers to 
“government regulatory authorities having jurisdiction for examination, compliance, or other 
purposes as authorized by law.” 15 U.S.C. 6802(e)(8) and 12 C.F.R. Section 1016.15(a)(7)(iii). 

PO.SEV li. 

In the event of a breach of CFPB security that results in a loss to consumers and the institutions 
that furnished information about them, who is liable for the loss? 

Response 

Should the Consumer Financial Protection Bureau (Bureau) experience an incident that results in 
such a loss, the incident would be handled according to the Bureau’s incident response 
procedures. These procedures are consistent with government standards and incorporate best 
practices from public and private sector incident handling teams. Liability for loss would 
typically be determined based on the factors that led to a breach. 

Posey 12. 

Will the Bureau share information in the loan level database with other government agencies 
(e.g., OCC, FDIC, Federal Reserve, IRS, state consumer protection or tax officials?) Does the 
Bureau have the authority to refuse to share information with such entities? 
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Response 

Your December 21, 2012 letter inquired about a “‘loan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The Consumer Financial Protection Bureau has entered into a 
Memorandum of Understanding with the Office of the Comptroller of the Currency (OCC) under 
which the loan level data in the credit card database can be shared with the OCC. This assures 
that the issuers will not be subject to duplicative requests for data. 

POSEY 13. 

Does the GLBA privacy policy notification requirement obligate financial institutions to inform 
their customers that information about them is being furnished to the CFPB? Do consumers 
have a right to “opt out” of such information sharing? The GLBA notice and opt out standards do 
not apply to information furnished to Federal functional regulators “to the extent specifically 
permitted or required under other provisions of law”. 

Response 

Please see response to question 10. 


POSEV 14. 

Section 2012 of Dodd Frank requires the Bureau to enforce Federal consumer financial law 
“consistently” to promote markets that are “competitive.” isn’t the creation of a database 
consisting solely of information obtained from larger institutions inconsistent with these 
requirements? What is the basis for collecting data only from a limited number of 
institutions? What has the Bureau done to evaluate the competitive implications of limiting its 
data collection to certain institutions? 

Response 

Your December 21, 2012 letter inquired about a “Moan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The Consumer Financial Protection Bureau’s (Bureau) credit card 
data collection activity is being conducted in coordination with the prudential regulators to 
ensure that the same data elements are being requested and that all large issuers are subject to a 
consistent requirement to provide account level data. The data collected represent approximately 
85-90% of outstanding card balances. The issuers from whom the data is being collected are the 
largest credit card issuers and thus have particularly significant potential to create risks to 
consumers. 

Posey 15. 

Has the Bureau sought or obtained 0MB clearance for the establishment of the loan level 
database? If not, why not? 

Response 

Your December 21, 2012 letter inquired about a “‘loan level data’ project . . .to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
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description of this activity. The Consumer Financial Protection Bureau has determined that the 
Paperwork Reduction Act is not applicable to this collection of data. 


Posey J6. 

Has the Bureau complied with provisions of the Privacy Act such as obtaining public comment 
about the proposed creation of a “system of records”? If not, why not? 

Response 

Your December 21, 2012 letter inquired about a “‘loan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. When required by the Privacy Act, the Consumer Financial 
Protection Bureau publishes System of Records Notices in the Federal Register for public 
comment. Also as required by the Privacy Act, the Bureau forwards copies of SORNs to the 
House of Representatives Committee on Oversight and Government Reform, the Senate 
Committee on Homeland Security and Governmental Affairs, and the Office of Management and 
Budget. 

POSEY 17. 

Is information in the database exempt from Freedom of Information Act requests? 

Response 

Your December 21, 2012 letter inquired about a ‘“loan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. Loan-level data that the Consumer Financial Protection Bureau 
obtains pursuant to its supervisory authority is exempt from public disclosure pursuant to 
Exemption 8 of the Freedom of Information Act, 5 U.S.C. § 552(b)(8). To the extent that such 
data consists of trade secrets or confidential commercial information, it is also exempt from 
public disclosure pursuant to Exemption 4 of the FOIA. 

POSEY 18. 

How does the information collected by the Bureau differ from information collected from the 
same institutions by other regulators (e.g., OCC, FDIC, Federal Reserve, Office of Financial 
research)? To the extent it is the same, why has the Bureau decided not to obtain the information 
from the other regulators? Explain why the Dodd Frank Section 1 025 requirement for 
“coordination” with prudential regulators to “minimize regulatory burden” do not apply to the 
loan level database. 

Response 

Your December 21, 2012 letter inquired about a “‘loan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. The Consumer Financial Protection Bureau is coordinating with the 
prudential regulators to ensure that the same data elements are being requested from all 
institutions from which data is being obtained on a consistent basis, and also to ensure that no 
institution is being required to provide the same data to multiple regulators. 
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Posey 19. 

Will members of the public have access to the information maintained about them by the 
Bureau? Is there a mechanism for correcting errors that consumers bring to the Bureau’s 
attention? 

Response 

Your December 21, 2012 letter inquired about a “Moan level data’ project ... to collect 
information on consumer credit card accounts.” Please see the response to question 1 for a 
description of this activity. 

In general, where the Bureau collects information that is retrieved by a personal identifier and 
maintained in a SORN under the Privacy Act, individuals may request access to, amend, and 
correct records that pertain to them by submitting a request in writing in accordance with 
instructions appearing in Title 12 part 1070 of the Code of Federal Regulations, “Disclosure of 
Records and Information.” Information in the credit card database does not contain direct or 
personal identifiers and cannot be obtained by reference to direct or personal identifiers. 
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House Committee on Financial Sen'ices 
Subcommittee on Financial Institutions and Consumer Credit 
Examining the Consumer Financial Protection Bureau’s 
Collection and Use of Consumer Data 
July 9, 2013 Requests for Information 


Chairman Capito: Number of accounts on which the CFPB collects and monitors 
information. 

Response 

The Consumer Financial Protection Bureau (Bureau) does not monitor the accounts of particular 
consumers and does not track the financial habits or activities of any individual consumer. 
Instead, in the normal course of carrying out its statutory mandate to protect consumers, ensure 
regulatory compliance, and monitor the financial services and products markets for risks to 
consumers, the Bureau collects information about accounts from consumers who seek the 
Bureau’s help through the consumer response function and from the institution involved in the 
complaint. The Bureau also collects information from covered persons who are the subject of 
supervisory examinations or enforcement activity, as well as from whistleblowers and third 
parties who may have information relevant to an enforcement action. 

In addition, the Bureau performs market monitoring activities, which involve the analysis of 
market trends and risks to consumers based upon aggregating and analyzing account information 
stripped of direct or personal identifiers. Specifically, the Bureau’s market monitoring activities 
include: 

The Bureau has procured from a national credit reporting agency (CRA) credit information, 
stripped of direct or personal identifiers, with respect to a random and representative sample of 
consumers with a credit report. For the records comprising this Consumer Credit Panel (CCP), 
the Bureau receives the information in the CRA’s database with respect to all accounts 
associated with the record. The CCP records cover approximately a 4% sample of credit 
reporting agency records. The CCP is similar to panels that the Federal Reserve Board of 
Governors and the Federal Reserve Bank of New York each have maintained for several years. 

The Bureau is partnering with the Federal Housing Finance Agency (FHFA) to construct the 
National Mortgage Database (NMDB). For this database, the FHFA and Bureau have procured 
from a CRA credit information with respect to a random and representative sample of 5% of 
mortgages held by consumers. This credit information, like the data in the CCP, does not 
include direct or personal identifiers for individual consumers. The Bureau receives the 
information in the CRA’s database with respect to all accounts associated with the record. The 
Bureau cannot directly link data in the CCP with data in the NMDB and thus does not know 
whether any of the records are common to the two databases. The Bureau also procures 
commercially-available mortgage data from CoreLogic and BlackBox Logic that, like the CCP 
and NMDB, does not contain personal identifying information directly linked to individual 
consumers. 
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In the exercise of its supervisory authority the Bureau is obtaining data stripped of direct or 
persona! identifiers with respect to all credit card accounts maintained by a number of large card 
issuers. This data is collected and housed on behalf of the Bureau by Argus Information and 
Advisory Services, a company that is in the business of obtaining account-level data for credit 
cards and other financial services from financial services companies. The data being provided to 
the Bureau are the same type of data that credit card issuers regularly provide to Argus, such as 
the monthly balance, fees charges, interest charged, and payments received on accounts. The 
data the Bureau receives does not include transactions, such as purchases. Through a 
Memorandum of Understanding, the Bureau is also able to access data that is collected by a 
partner prudential regulator from an additional set of credit card issuers. The combined data 
represent approximately 85-90% of the outstanding card balances. None of the foregoing credit 
card data contain infonnation that directly identifies individuals. 

Representative Maloney: On-site visit to inspect security measures protecting consumer 
data. 

Response 

The Consumer Financial Protection Bureau’s (Bureau) Office of Legislative Affairs has been in 
contact with Representative Maloney’s office about this question. 

Representative Duffy: Number of Americans who have their data collected by the CFPB. 
Response 

As discussed in the response to question I, the Consumer Financial Protection Bureau (Bureau) 
does not monitor the accounts of particular consumers and does not track the financial habits or 
activities of any individual consumer. Instead, in the normal course of carrying out its statutory 
mandate to protect consumers, ensure regulatory compliance, and monitor the financial services 
and products markets for risks to consumers, the Bureau collects information about accounts 
from consumers who seek the Bureau’s help through the consumer response function and from 
covered persons who are the subject of supervisory examinations or enforcement activity, as well 
as from whistleblowers and third parties who may have information relevant to an enforcement 
action. Additionally, the Bureau performs market monitoring activities that involve analysis of 
account information stripped of direct or personal identifiers. These activities are described in 
response to question 1 . Without direct or personal identifiers, the Bureau cannot link these 
records to individual consumers. As a result, the Bureau cannot determine the number of 
citizens with respect to which data is being collected. 

Representative Duffy: Production of information on the contracts between the CFPB and 
third party vendors. 

Response 

Attached are contract copies (and modifications). Contracts are limited to those that involve the 
purchase, collection, analysis, and storage of relevant data. 

• Argus Information and Advisory Services LLC (5 attachments) 

• Blackbox Logic LLC (7 attachments) 
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• Brattle Group Inc. (5 attachments) 

• Clarity Services Inc. (4 attachments) 

• CLC Compliance Technologies Inc. (6 attachments) 

• CoreLogic Infonnation Solutions Inc. (4 attachments) 

• Deloitte Consulting LLP (1 attachment for contract number CFP-12-D-00006) 

• Deloitte Consulting LLP (5 attachments for contract number TPD-CFP-12-C-0008) 

• Experian (4 attachments) 

• Fors Marsh Group LLC (7 attachments) 

• PriceWaterhouseCoopers LLP (2 attachments) 

Please be aware that the documents provided are contractual documents that may contain trade 
secrets and/or proprietary or confidential information of private entities. The companies should 
be consulted before any of this information is released publicly to avoid possible competitive 
harm to these private parties. 

ATTACHMENT: Contract Copies 

Representative Luetkemeyer: Number of agreements with other agencies regarding 
transferal, access, and exchange of data. 

Response 

The Consumer Financial Protection Bureau (Bureau) Office of Consumer Response has 
agreements to share consumer complaint data with 25 state and federal agencies. 

In addition, the Bureau has signed MOUs with the Conference of State Bank Supervisors and 
other signatories from all 50 states plus Puerto Rico and the District of Columbia designed to 
preserve the confidentiality of any supervisory information shared between the parties or related 
to the operation of the Nationwide Mortgage Licensing System and the Mortgage Call Report. 

The Bureau has also signed approximately 40 other MOUs with federal, state, and local 
governmental entities regarding the potential sharing of data and/or the treatment of shared data. 

Representative Luetkemeyer: Number of agreements with foreign countries regarding 
transferal, access, and exchange of data. 

Response 

The Consumer Financial Protection Bureau does not have MOUs with any foreign governmental 
entities. 

Representative Rothfus: Number of data fields the CFPB collects per monitored credit 
card account. 

Response 

The Consumer Financial Protection Bureau (Bureau) does not monitor the accounts of particular 
consumers and does not track the financial habits or activities of any individual consumer. With 
respect to the credit card database, the fields are listed in the Request for Proposals that the 
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Bureau issued and which can be accessed at 

https://www.fbo. gov/index?s=ODPortunitv&mode=fonii&tab=core&id=61f9e255acb3ac044ffeb4 
aelOcbecOO . 

Representative Rothfus: Production of the breakdown of the 50,000 individuals and 
servicemembers due refunds; specifically the number that were a result of consumer 
complaint vs. examination activity. 

Response 

The Military Installment Loans and Education Services (MILES) enforcement action arose from 
supervisory examinations of US Bank and Dealers’ Financial Services (DFS). The target 
reviews were prompted, in part, by two complaints received by the Consumer Financial 
Protection Bureau (Bureau), both related to Army soldiers. 

In determining whether or not to conduct a target review of the MILES program, the Bureau also 
reviewed media reports and consulted the Legal Assistance Chiefs of the JAG Corps of each of 
the service branches. 

As a result of the examination, the Bureau identified program-wide violations related to the 
manner in which US Bank disclosed the $3 monthly fee imposed because servicemembers were 
required to pay by allotment, as well as the manner in which DFS marketed two add-on products 
to servicemembers. A total of approximately 50,000 servicemembers who were subjected to 
these practices will receive refunds totaling more than $6.5 million as a result of the consent 
orders. 

Representative Barr: Clarification on whether PII is searchable by identifiable 
information in either the database of the CFPB or contractor’s databases. 

Response 

The Consumer Financial Protection Bureau (Bureau) does not maintain a single database of 
consolidated information. The Bureau has published System of Records Notices (SORNs) for 
any data for which personally identifiable information is retrieved by direct or personal 
identifiers. With respect to the SORN for Market and Consumer Research Records, the Bureau 
proactively published a notice that described a range of potential data collections and uses, 
however none of the data collected by the Bureau to date for market monitoring purposes have in 
fact contained direct or personal identifiers. The Bureau’s SORNs are available at 
http://www.consumerfinance.gov/privacy-office 

Representative Barr: Confirmation on the existence of an internal privacy impact 
assessment regarding CFPB data collection; In the event PIA exists, clarification on reason 
for it not being public. 

Response 

The Consumer Financial Protection Bureau (Bureau) does not monitor individuals’ financial 
transactions. Please see responses to questions 1 and 3 for explanation of the types of 
information the Bureau collects and the purposes for that collection, including supervisory and 
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investigatory information and information obtained from financial institutions in the resolution 
of consumer complaints, some of which contains personally identifiable financial information. 
The Bureau has published System of Records Notices (SORNs) for any data for which 
personally identifiable information is retrieved by direct or personal identifiers. With respect to 
the SORN for Market and Consumer Research Records, the Bureau proactively published a 
notice that described a range of potential data collections and uses, however none of the data 
collected by the Bureau to date for market monitoring purposes have in fact contained direct or 
personal identifiers. The Bureau’s SORNs are available at 
http://www.consumerfinance.gov/privacv-office . 

In general, the Bureau safeguards privacy by conducting and publishing Privacy Impact 
Assessments (PIAs) whenever we introduce new technologies or modify existing technologies 
that contain or work with personally identifiable information, pursuant to the definition 
established by the Office of Management and Budget in OMB Memorandum 07-16 (M 07-16) 
“Safeguarding Against and Responding to the Breach of Personally Identifiable Information, 
May 22, 2007.” The Bureau has not published a PIA for any market and consumer research 
records because no such change has been introduced. 

Rep. Westmoreland: The number of people with access to data collected during consumer 
complaints. 

Response 

Consumers send their complaints to Consumer Response for response and investigation, which is 
an integral part to the Consumer Financial Protection Bureau’s (Bureau) work, as Congress set 
forth in the Dodd-Frank Wall Street Reform and Consumer Protection Act. Consumer Response 
hears directly from consumers about the challenges they face in the marketplace, brings their 
concerns to the attention of companies, and assists in addressing their complaints. 

The information consumers provide supports both the complaint process as well as informs the 
work of other parts of the Bureau. Access to confidential consumer complaint information is 
provided based on a demonstrated need and only to the extent of that need. 

Consumer Response has an active program to manage access and follows standard operating 
procedures for processing access request forms and terminating access. Currently, about 830 
Bureau staff and contractors have access. The majority of the contractors with any level of 
access to complaint information are those who answer consumers’ questions and handle 
consumers’ complaints at the Bureau’s two U.S.-based contact centers. 

Representative Duffy: Verification of the terms of the CFPB’s contract with Experian. 

Response 

The Consumer Financial Protection Bureau (Bureau) contract with Experian states that it will 
provide the Bureau with a ZIPh- 4 or other geographic identifier for each anonymous credit record 
in our sample. While the census block is provided in the contract as an example of the other 
types of geographic identifiers that might have been used, the specific task order issued to 
procure the data from Experian narrows the selection to either a ZIP+4 or census tract. 
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Consistent with the task order, the Bureau has opted to acquire census tract identifiers. Census 
tracts, which are created every 10 years by the Census Bureau and contain around 4,000 
individuals each, are broader geographic areas than census blocks or ZIP+4. The Bureau is not 
collecting ZIP+4 or census block information. 

Representative Barr: Clarification on consumers’ right to access persona! information 
obtained by the CFPB. 

Response 

The Consumer Financial Protection Bureau (Bureau) does not monitor the accounts of particular 
consumers and does not track the financial habits or activities of any individual consumer. In 
general, where the Bureau collects information that is retrieved by a direct or personal identifier 
and maintained in a SORN under the Privacy Act, individuals may request access to, amend, and 
correct records that pertain to them by submitting a request in writing in accordance with 
instructions appearing in Title 12 part 1070 of the Code of Federal Regulations, “Disclosure of 
Records and Information.” 

Representative Barr: Number of contractors, agents, and third parties granted access to 
the CFPB database. 

Response 

There is no single system of consolidated data maintained by the Consumer Financial Protection 
Bureau. 

In general, contractors (including contractor employees and subcontractors) may have access to 
specific databases, with access limited by several control points provided by the general 
Cybersecurity and IT Security clauses included in Bureau contracts. These clauses operate to 
ensure adequate contractor IT processes and contract employee IT security awareness training; 
contractor compliance with relevant Federal laws, including but not limited to the Federal 
Information Security Management Act of 2002 (FISMA); Bureau oversight of contractor 
cybersecurity and pre-screening of contractor personnel; and signed contractor nondisclosure 
agreements (NDAs), as appropriate. 

In general, access to Bureau data is controlled and access logs to Bureau systems are kept and 
maintained in accordance with Bureau policy based on National Institute of Standards and 
Technology Special Publication 800-53 Recommended Security Controls for Federal 
Information Systems and Organizations (NIST SP 800-53) guidelines. 

Access to confidential consumer complaint information is provided based on a demonstrated 
need and only to the extent of that need. Consumer Response has an active program to manage 
access and follows standard operating procedures for processing access request forms and 
terminating access. Currently, about 830 Bureau staff and contractors have access. The majority 
of the contractors with any level of access to complaint information are those who answer 
consumers’ questions and handle consumers’ complaints at the Bureau’s two U.S. -based contact 
centers. 
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Chairman Capito: Production of the categories of PI collected by the CFPB. 

Response 

The Consumer Financial Protection Bureau (Bureau) does not monitor the accounts of particular 
consumers and does not track the financial habits or activities of any individual consumer. 
Instead, in the normal course of carrying out its statutory mandate to protect consumers, ensure 
regulatory compliance, and monitor the financial services and products markets for risks to 
consumers, the Bureau collects information about accounts from consumers who seek the 
Bureau’s help through the consumer response function and from the institution involved in the 
complaint. The Bureau also collects information from covered persons who are the subject of 
supervisory examinations or enforcement activity, as w'ell as from whistleblowers and third 
parties who may have information relevant to an enforcement action. 

In addition, the Bureau performs market monitoring activities, which involve the analysis of 
market trends and risks to consumers based upon aggregating and analyzing account information 
stripped of direct or personal identifiers. Specifically, the Bureau’s market monitoring activities 
include: 

The Bureau has procured from a national credit reporting agency (CRA) credit information, 
stripped of direct or personal identifiers, with respect to a random and representative sample of 
consumers with a credit report. For the records comprising this Consumer Credit Panel (CCP), 
the Bureau receives the information in the CRA’s database with respect to all accounts 
associated with the record. The CCP records cover approximately a 4% sample of credit 
reporting agency records. The CCP is similar to panels that the Federal Reserve Board of 
Governors and the Federal Reserve Bank of New York each have maintained for several years. 

The Bureau is partnering with the Federal Housing Finance Agency (FHFA) to construct the 
National Mortgage Database (NMDB). For this database, the FHFA and Bureau have procured 
from a CRA credit information with respect to a random and representative sample of 5% of 
mortgages held by consumers. This credit information, like the data in the CCP, does not 
include direct or personal identifiers for individual consumers. The Bureau receives the 
information in the CRA’s database with respect to all accounts associated with the record. The 
Bureau cannot directly link data in the CCP with data in the NMDB and thus does not know 
whether any of the records are common to the two databases. The Bureau also procures 
commercially-available mortgage data from CoreLogic and BlackBox Logic that, like the CCP 
and NMDB, does not contain personal identifying information directly linked to individual 
consumers. 

In the exercise of its supervisory authority the Bureau is obtaining data stripped of direct or 
personal identifiers with respect to all credit card accounts maintained by a number of large card 
issuers. This data is collected and housed on behalf of the Bureau by Argus Information and 
Advisory Services, a company that is in the business of obtaining account-level data for credit 
cards and other financial services from financial services companies. The data being provided to 
the Bureau are the same type of data that credit card issuers regularly provide to Argus, such as 
the monthly balance, fees charges, interest charged, and payments received on accounts. The 
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data the Bureau receives does not include transactions, such as purchases. Through a 
Memorandum of Understanding, the Bureau is also able to access data that is collected by a 
partner prudential regulator from an additional set of credit card issuers. The combined data 
represent approximately 85-90% of the outstanding card balances. None of the foregoing credit 
card data contain information that directly identifies individuals. 



